Im looking to build a simple upload site, that will generate temporary URLS to video files after a captcha has been entered. I need to protect the true location of the files, so they cannot be hotlinked directly. A time based url, that expires after x minutes seems like the best option, but Im not sure on the actual implementation.
我想建立一个简单的上传网站,它将在输入验证码后生成视频文件的临时URL。我需要保护文件的真实位置,因此不能直接进行热链接。基于时间的URL,在x分钟后到期似乎是最好的选择,但我不确定实际的实现。
Any tips?
5 个解决方案
#1
Make your urls like this:
让你的网址像这样:
http://myvid.com/video?id=1×tamp=12341561234&hash=1203941h23jk479sdf87sdf
Where timestamp is the unix timestamp and hash is an md5 hash, say, of the timestamp appended to a secret string on the server.
其中timestamp是unix时间戳,而hash是md5哈希值,例如,附加到服务器上的秘密字符串的时间戳。
Then, when you play that video, check if the timestamp field is valid (by using the hash), and then check to see how old the timestamp is.
然后,当您播放该视频时,检查时间戳字段是否有效(通过使用散列),然后检查时间戳的年龄。
#2
Yegor, they use Mod Rewrite. So when someone enters www.domain.com/video/1234567890/theLongHashCode you write in .htaccess that the url should be treated as video.php?timestamp=12341561234&hash=1203941h23jk479sdf87sdf
叶戈尔,他们使用Mod Rewrite。所以,当有人进入www.domain.com/video/1234567890/theLongHashCode时,你写入.htaccess,该网址应该被视为video.php?timestamp = 12341561234&hash = 1203941h23jk479sdf87sdf
This allows you prevent from showing the actual url.
这样可以防止显示实际的URL。
Some sources on mod rewrite: http://www.modrewrite.com/
mod重写的一些来源:http://www.modrewrite.com/
What you would need to put in .htaccess file, considering you have mod_rewrite module enabled on Apache:
考虑到你在Apache上启用了mod_rewrite模块,你需要输入.htaccess文件:
RewriteEngine On
RewriteRule ^video/([0-9]+)/(.*) video.php?timestamp=$1&hash=$2
This only takes in 2 values: timestamp and hash. The video id is not sent. I would not even send the timestamp. For temporary url, I only generate a hash, store it in the database along with the timestamp. So when someone visits an url, I look up the hash from the database. If the hash exists, then I compare the timestamp from the database with the current time, and if it is within the time limit, then the url is considered valid, otherwise it is invalid and write to the page "This link has expired."
这只需要2个值:timestamp和hash。视频ID未发送。我甚至不会发送时间戳。对于临时URL,我只生成一个哈希,将其与时间戳一起存储在数据库中。所以当有人访问网址时,我会从数据库中查找哈希值。如果存在哈希,那么我将数据库中的时间戳与当前时间进行比较,如果它在时间限制内,则该URL被认为是有效的,否则它无效并写入页面“此链接已过期”。
So I would have the url look like: http://hsbsitez.com/video/thehashcodehere
所以我的网址看起来像:http://hsbsitez.com/video/thehashcodehere
With the following .htaccess file to interpret that url.
使用以下.htaccess文件来解释该url。
RewriteEngine On
RewriteRule ^video/(.*) video.php?hash=$1
Where video.php is the file that checks if the hash exists in the database or not.
其中video.php是检查数据库中是否存在哈希的文件。
#3
header('Content-Type: application/force-download');
$fileee = 'filename.zip';
$file_Location = "/..yourfolder/" . $fileee;
header('Content-Length:' . filesize($file_Location));
header("Content-Disposition: inline; filename=\"".$fileee."\"");
$file_Pointer = fopen($fileLocation,"rb");
fpassthru($file_Pointer);
#4
Use a FORM with method set as PUT
Have you thought about using a form with PUT method? This is exactly one of the cases that PUT is designed for - not being able to revist the page with the same URL. Just create a simple form that has a few hidden fields and you can make a javascript link that submits it. This way you don't have to worry about users trying to revist the links or having the links in their history.
您是否考虑过使用带有PUT方法的表单?这正是PUT设计的一种情况 - 无法使用相同的URL来恢复页面。只需创建一个包含一些隐藏字段的简单表单,您就可以创建一个提交它的javascript链接。这样您就不必担心用户试图恢复链接或在历史记录中显示链接。
Example:
<form id="myform" method="put" action="viewimage.php">
<input type="hidden" name="id" value="uniquevalue" />
<input type="hidden" name="filename" value="foo.jpg" />
<a href="javascript:myFunctionToInvokeSumit()">Image foo.jpg</a>
</form>
Superficially, no one will be able to revisit the image without having to do some HTTP magic beyond your typical user. However, to further verify that the image is only launched after a click, you can register the id in the session and timestamp it, then check against the timestamp when the image is viewed.
从表面上看,没有人能够重新访问图像而不必在典型用户之外做一些HTTP魔术。但是,要进一步验证图像是否仅在单击后启动,您可以在会话中注册id并为其加上时间戳,然后检查查看图像时的时间戳。
#5
I would recomend not printing whole file via php, because it is resource-consuming(even fpassthru). There is another option - using own script for generating pairs temporary url => original url with rewritemap prg. But this option should be used careful.
我建议不要通过php打印整个文件,因为它耗费资源(甚至是fpassthru)。还有另一种选择 - 使用自己的脚本生成对临时url =>原始url和rewritemap prg。但应谨慎使用此选项。
#1
Make your urls like this:
让你的网址像这样:
http://myvid.com/video?id=1×tamp=12341561234&hash=1203941h23jk479sdf87sdf
Where timestamp is the unix timestamp and hash is an md5 hash, say, of the timestamp appended to a secret string on the server.
其中timestamp是unix时间戳,而hash是md5哈希值,例如,附加到服务器上的秘密字符串的时间戳。
Then, when you play that video, check if the timestamp field is valid (by using the hash), and then check to see how old the timestamp is.
然后,当您播放该视频时,检查时间戳字段是否有效(通过使用散列),然后检查时间戳的年龄。
#2
Yegor, they use Mod Rewrite. So when someone enters www.domain.com/video/1234567890/theLongHashCode you write in .htaccess that the url should be treated as video.php?timestamp=12341561234&hash=1203941h23jk479sdf87sdf
叶戈尔,他们使用Mod Rewrite。所以,当有人进入www.domain.com/video/1234567890/theLongHashCode时,你写入.htaccess,该网址应该被视为video.php?timestamp = 12341561234&hash = 1203941h23jk479sdf87sdf
This allows you prevent from showing the actual url.
这样可以防止显示实际的URL。
Some sources on mod rewrite: http://www.modrewrite.com/
mod重写的一些来源:http://www.modrewrite.com/
What you would need to put in .htaccess file, considering you have mod_rewrite module enabled on Apache:
考虑到你在Apache上启用了mod_rewrite模块,你需要输入.htaccess文件:
RewriteEngine On
RewriteRule ^video/([0-9]+)/(.*) video.php?timestamp=$1&hash=$2
This only takes in 2 values: timestamp and hash. The video id is not sent. I would not even send the timestamp. For temporary url, I only generate a hash, store it in the database along with the timestamp. So when someone visits an url, I look up the hash from the database. If the hash exists, then I compare the timestamp from the database with the current time, and if it is within the time limit, then the url is considered valid, otherwise it is invalid and write to the page "This link has expired."
这只需要2个值:timestamp和hash。视频ID未发送。我甚至不会发送时间戳。对于临时URL,我只生成一个哈希,将其与时间戳一起存储在数据库中。所以当有人访问网址时,我会从数据库中查找哈希值。如果存在哈希,那么我将数据库中的时间戳与当前时间进行比较,如果它在时间限制内,则该URL被认为是有效的,否则它无效并写入页面“此链接已过期”。
So I would have the url look like: http://hsbsitez.com/video/thehashcodehere
所以我的网址看起来像:http://hsbsitez.com/video/thehashcodehere
With the following .htaccess file to interpret that url.
使用以下.htaccess文件来解释该url。
RewriteEngine On
RewriteRule ^video/(.*) video.php?hash=$1
Where video.php is the file that checks if the hash exists in the database or not.
其中video.php是检查数据库中是否存在哈希的文件。
#3
header('Content-Type: application/force-download');
$fileee = 'filename.zip';
$file_Location = "/..yourfolder/" . $fileee;
header('Content-Length:' . filesize($file_Location));
header("Content-Disposition: inline; filename=\"".$fileee."\"");
$file_Pointer = fopen($fileLocation,"rb");
fpassthru($file_Pointer);
#4
Use a FORM with method set as PUT
Have you thought about using a form with PUT method? This is exactly one of the cases that PUT is designed for - not being able to revist the page with the same URL. Just create a simple form that has a few hidden fields and you can make a javascript link that submits it. This way you don't have to worry about users trying to revist the links or having the links in their history.
您是否考虑过使用带有PUT方法的表单?这正是PUT设计的一种情况 - 无法使用相同的URL来恢复页面。只需创建一个包含一些隐藏字段的简单表单,您就可以创建一个提交它的javascript链接。这样您就不必担心用户试图恢复链接或在历史记录中显示链接。
Example:
<form id="myform" method="put" action="viewimage.php">
<input type="hidden" name="id" value="uniquevalue" />
<input type="hidden" name="filename" value="foo.jpg" />
<a href="javascript:myFunctionToInvokeSumit()">Image foo.jpg</a>
</form>
Superficially, no one will be able to revisit the image without having to do some HTTP magic beyond your typical user. However, to further verify that the image is only launched after a click, you can register the id in the session and timestamp it, then check against the timestamp when the image is viewed.
从表面上看,没有人能够重新访问图像而不必在典型用户之外做一些HTTP魔术。但是,要进一步验证图像是否仅在单击后启动,您可以在会话中注册id并为其加上时间戳,然后检查查看图像时的时间戳。
#5
I would recomend not printing whole file via php, because it is resource-consuming(even fpassthru). There is another option - using own script for generating pairs temporary url => original url with rewritemap prg. But this option should be used careful.
我建议不要通过php打印整个文件,因为它耗费资源(甚至是fpassthru)。还有另一种选择 - 使用自己的脚本生成对临时url =>原始url和rewritemap prg。但应谨慎使用此选项。