Hi Germi, I need assitance as I think many others here.
I´m totally afraid of file=src in JwPlayer. I that src anyone can take the url of any song. Furthermore, It can make a script to take all the ids of songs... Or Hotlinking (As many user noticed it in these forums)
I have to tell you I investigate for my own to give advices to this problem.

These are the 4 options that jwplayer forums recommends:

1-Encript / Obfuscate the variable "file". That way the user won´t see the path to song anymore, but this method works in client-side. So any "bad person" can still takes the path.
Benefits: Its a new security layer. Negatives: Its not the best way because its the encriptation its made on client side.

2- Temporary urls. This way the urls are available for certain time or certain access. After that, the url is unavailable to reach the file, and a new temporary url is created for it. That way, the leechers can´t take the links anymore, as well as downloads buttons, which I´m afraid to use them too at the moment I wrote. Also what I read is that it can combine with encript variables, making the ffile usefulless

Benefits: Perfects to eliminate leechers. Negatives: It´s more complicate to implement.

3- RMTP. As I undesrtand, It is basically a continuos stream, similar to a radio stream. So the songs becomes a single stream.

Benefits: Its better yet. Negatives: As I saw it, its more complicated to implement than anything.

4 DRM. (Digital Rights Management) Are used for large companies. But they use complex algortihms and aren´t cross-browser compatible. Each browser and even each platform and devices may use different DRM. Impossible to do. They need, as I read, many MANY thousands of dollars to start using it.

As I have breaking my head for days, I think a chance to get something is:

- Change ID´s in artists, albums, songs and playlist tables from correlatives to randoms numbers (As spotify does, for example)
THEN (Optional)
- Change SEF urls, from /ID-Artist/ID-Album/ID-song to /artist/ID or Album/ID or Song/ID or Playlist/ID. That way the ids, as now are random numbers, are difficult to get.
- Create a new table "TEMPORARY URLS" when fields "SONG_ID" and "TEMPORARY URL" for using in jwplayer functions and playlist of it.
- Create an encrypt key for file variables (assuming this variables are already temporary)

As fas as I could learn, I could help to test or maybe look for some data.
Can we work together to resolve this problem we have many users???
Thanks for read this papyrus Germi !! More thanks to the users who want to join this query!!
Responses (2)
  • Accepted Answer

    Friday, September 05 2014, 11:58 AM - #Permalink

    we are aware of that situation but the only real "truth" is that you need to have in mind that if the song can be STREAMED, then the song will be able to be downloaded (by a "bad user", like you say). encrypting it is not a possibility in this case.

    we have found that the best approach is to use what is called a "pseudo HTTP streamer". basically, streaming the songs from a local streamer, to hide the direct path to songs. again, a bad user will STILL be able to download the songs if he sees how, however the advantage for this scenario is that hotlinking can be prevented because the SESSION of the user streaming is added to the URL and therefore external streaming (hotlinking) is not possible, you can only strem from the page itself.

    the "bad" part is that since it's not a direct stream, the songs are processed to a script and the system can be a little slower (basically, the time for starting the song can be a bit slower, but should't be much)

    again, it's very important that you understand that there's no REAL way to "obfuscate" the access to the song to a user, if you give him the ability to stream it. do you know what I mean?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, September 05 2014, 09:08 PM - #Permalink
    Hi Germi!
    we are aware of that situation but the only real "truth" is that you need to have in mind that if the song can be STREAMED, then the song will be able to be downloaded (by a "bad user", like you say)

    Of course, I ´ve already aware that if a file is streamed, ALWAYS are a way to get it. Of course, there are many options to restrict this download.

    - About your solution, I have read that you were testing the functionality of SessionIds 2 years ago, could you continue this test? Do you have any beta for to test now?

    All I wish is that Songs were a little more "protected" from leeching or download. I assume that If a user can´t download, I will change my bussiness platform, because I didn´t launch the site yet. But I prefer protect songs rather than more features for my users, cause they could play the songs in my site, and that´s the important thing.

    I have read a lot more in these ays, and there is a way to protect from leechers, maybe .htaccess rewrite for that folder, "rewriting" the files for nothing or a default file IF THE DOMAIN ISN´T OUR DOMAIN.


    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
    RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ - [F]

    That code is for image leeching protection. In my site, I couldn´t make it work, or at least I cannot try it corectly.

    Also, there is a CPanel option for hotlinking protection. If any user here has this panel, we can take this to a group-soluton-interest.

    I also see a deny,allow sentences to allow only our ip. But They also give a 403 Forbidden access in our player ¿? Do you know why? Maybe the player or something use a script from another site? Should this code let the files et accessed ONLY from our site scripts and deny a direct access only when other people try to reach them?

    f not, is there is only a way, appart from your pseudo http. I´ve studied the spotify site, and I couldn´t get any song src. Is there a way you could check this for studying? The only thing I could get is that they use something called: data-uri="spotify:track:1DdPLWJ2w1Jw9NG82TR6XJ" . I saw something similar in stackideas codes, like Easysocial and Easyblog. I only know PHP, and some simple Javascript, but I ask you if that code is JSON or AJAX syntax, or a code to use these languages.

    Of course, I have to thank you for the answers and reading this. I know your codes don´t have to give something other sites have, but I only pretend to make MC better, and more secure for all users.
    • Germinal Camps
      more than a month ago
      well, yes, we had a beta for that, so if you would like to try it, please email me at support@ again, it's a BETA ;)
    The reply is currently minimized Show
Your Reply