Audio Files : Security concern; how to prevent unauthorized downloading of audio files from a server

Question

For a church website I'm managing, there is a need to place audio files (sermons) on the website. There will be two categories of audio files; one will be a sample size of the audio file, around 5 minutes in length. The other will be the full-length of the sermon (30-50 +/- minutes).

I have decided the best setup would be to place the audio files on the server. I would then store the audio information, as well as the path to the audio file, in a database. I had thought about placing the audio files in the database as a BLOB, but it seemed inefficient.

My concern, is with tools like Mozillza plug-in "Download Helper" , it is so easy to simply grab the media files off the server. This would not be a big deal, except we want to sell the full-length audio files. I am running ASP.NET 3.5 on IIS 7. Any ideas?

Answer 1

You need to configure IIS to not serve files from that directory, then write an ASHX page that transfers a file after checking authorization.

Answer 2

This can be done by storing the files in a location that is inaccessible to web users such as: a folder not served by IIS or a SQL Server database both with the appropriate access controls.

You can then determine if a user is authorized by allowing to request the file in a number of different ways, but ultimately, once you know your user is authorized and has purchased the file you can send the file to them using a response.write. See the example below for serving from the file system:

Response.Clear();
Response.ContentType = "audio/mpeg3";
Response.WriteFile("d:\private-downloads\private.mp3");
Response.AddHeader("Content-Disposition", "inline;filename=private.mp3");
Response.End();