Can I embed video on external sites while still using tokens to protect the content?

views:

answers:

Can I embed video on external sites while still using tokens to protect the content?

On our own website, it's easy to protect against direct links to our video content by grabbing a token through AJAX and verifying the token through PHP before the file download is started.

However I'm also researching how I could provide an embed feature, like YouTube or vimeo etc., without compromising this security feature.

The problem is that the embed code I want to provide should look something like <object>...<embed>...</embed></object> -- but I don't know how to grab and append the token to the filename. I mean, I guess I could attach a script that did some gnarly JNOP business, but that's too dirty.

I'm using JW Player for the actual video container.

Huge thanks to anyone who can help...

You can do this without the token. First don't allow your videos to be linked to directly at all. Put them outside of the document root.

Now create a wrapper function that checks to see if the user is allowed to download it. You can set a cookie or session parameter on the download page that expires in 5 minutes. The wrapper just checks to see if this is set. If so, then read the swf and send it to the user with appropriate headers.*

Now you link to /path/viewSwf?id=123 in your <object> tag and everything is happy!

* You will probably need to set the php timeout to a larger value if your video is long.

Byron Whitlock 2010-03-23 23:22:57

For sure... that's pretty much what I'm doing. The videos are beneath the document root. Then if you go to `/watch?ts=1234567890`To better state the problem: how can I set the cookie on an external server, without anything beyond `<embed>`/`<object>`? It doesn't seem possible.

JKS 2010-03-23 23:45:35

Do this:

Make the embed a script pointing to your server.
When the script is requested, generate a token and save it in a database + output it in the script
Make the script print out the embed tag with the token in there as a parameter.

There you go.

Henri Watson 2010-03-23 23:43:00

This is the problem: "phone home and get a One Time Use token."If the phoning home involves ActionScript within the SWF player, then I'm out of luck. (On our own site we grab the token with AJAX before embedding the video.)

JKS 2010-03-23 23:49:23

Why can't you modify the player?

Henri Watson 2010-03-24 00:20:34

I guess I could :) Just not looking forward to having to use/learn Flash.Probably a long-term project.Thanks for yr help.

JKS 2010-03-24 20:07:14

OR, make the embed code a javascript thinger that calls home, and prints the embed code with the token in it. OR, when the javascript script is called, generate the token. Bam.

Henri Watson 2010-03-25 00:25:05

Yep, that's exactly what I ended up doing. The embed code is a `<script>`... when the script is requested, I use PHP's `file_get_contents()` to "inject" a token into the script. I chose not to use XHR just because it would have added a lot of overhead compared to the PHP solution. Thanks again.

JKS 2010-03-26 23:09:38

Fixed answer a bit :)

Henri Watson 2010-03-29 23:23:17

ansaurus

tags:

views:

answers:

Can I embed video on external sites while still using tokens to protect the content?

related questions