How do I make it difficult for users to save mp3 files from my site to their hard drives?

Question

I want users to be able to upload mp3s and also be able to play them through a player embedded on a page. I know it's impossible to stop dedicated users from copying the audio by directly recording it from the computers output but I want to make it difficult or impossible for a user to just copy a URL and paste it which will allow them direct access to the data.

Currently, what I am doing is:

• Saving the mp3 files to a directory that is not accessable to my web server.
• Using headers to change the mime type to text/html instead of audio/mpeg (my swf player doesn't care it just reads the data)

The problem is the url to the controller that feeds the data is accessable. So if a user looks at the source of the page and copy pastes the url in the address bar, the web server will happily spew the mp3 data to them.

Does anyone have any suggestions on how to make this more difficult to do? Thanks.

Answer 1

Depends on how hard you want to make it. You could use javascript to rewrite the url, basic ROT-13 and hopefully people won't bother to decode it.

I haven't tried putting a javascript function in an html object src though.

Answer 2

i don't know if a Flash player solution can do it but it might be worth looking into.

Answer 3

Use a PHP script to mask the location so

http://www.site.com/files/foo.mp3

Becomes

http://www.site.com/files.php?fn=foo.mp3

Flash is probably the next step from there. Maybe have it used some form of one-time id to authorize the download using shared state. Your session_id will come in helpful here.

Remember: Flash may keep a cache in some temporary folder ... I know I used to find /tmp/aiden-sdjks/foo.mp3 on some players. There might be a better streaming solution in flash that takes another file format on the backend?

At least this stops people looking in the source and finding the URL. Unless they go to the effort of reverse engineering the player and writing their own to spit out the download.

Security through obscurity is a dangerous road to head down however. Someone, with enough effort, will always succeed. Look at how BBCIplayer does their DRMification, might help.

Answer 4

Connected straight to a file on a server with Flash is called progressive streaming. This makes the Flash player load the entire file from the server when playing. There is another solution:streaming that only loads a small fraction of data into the users machine at any time during playback.

The most reliable option for flash is to use a streaming server for your content. Flash Media Server is one option but thats a product you can either purchase or find a hosted version (like Akamai). If you are a smaller unit, there are open source versions of the Media server like Red5 (http://osflash.org/red5)

Not sure about windows media player or quicktime players but I am sure there are similar solutions there as well

Answer 5

You should store the files in a protected directory. My hosting service (Nearly Free Speech) sets this up for you automatically, and you can retrieve the file within a CGI script (PHP for example) and either write to a temporary file or use the binary directly. For example, I store a simple list of visits to my personal website in this directory, which is outside of the scope of the web root.