如何防止用户直接下载MP3 [英] How can I prevent users from downloading MP3s directly
问题描述
我正在构建一个类似于Web无线电的服务,其中用户对服务进行身份验证,获取Cookie,然后基于Flash的应用从服务器播放mp3.仅当允许该特定mp3客户端使用时,服务器才会传送.
I'm building a web-radio like service, in which the user authenticates to the services, gets a cookie and a Flash-based app plays mp3s from the server. The server only delivers if the client is allowed for that particular mp3.
如果用户打开HTTP记录器(如FireBug),则可以看到Flash正在下载的文件.如果他直接通过地址栏打开mp3 URL,尽管用户无法猜到URL,但他可以轻松下载MP3.
If a user opens a HTTP logger (like FireBug), he can see the files being downloaded by flash. If he opens the mp3 URL directly via the address bar, he can easily download the MP3, although the URLs are not guessable by the user.
我正在寻找一个安全的系统,以防止用户将MP3直接下载到他的系统中.我检查了last.fm,因为他们使用了类似的设置,并且以某种方式阻止了它.
I'm looking for a safe system to prevent the user from downloading the MP3 directly to his system. I have examined last.fm, as they use a similar setup, and somehow they prevent it.
推荐答案
最后,您将无法阻止确定的人.但是,您至少可以使它变得困难.
In the end, you're not going to be able to stop someone who's determined. However, you can at least make it difficult.
有多个选项涉及引荐来源网址检查,身份验证以及类似的有趣内容.但是,我见过的最成功的反下载检查可能是这样的:
There are several options involving referrer checks, authentication, and fun stuff like that. But probably the most successful anti-downloading check I've seen was one that works like this:
用户指示他要流式传输文件;该应用会发出经过身份验证的加密请求,以表明他希望执行的操作.结果是一个供用户使用且有时间限制的URL,该URL可以由承载该文件的任何应用程序或CDN识别.网址使用过一次(即由Flash应用程序)后,它就会过期,并且永远无法再次使用.如果流式传输未在给定的时间(几秒钟)内开始,则URL同样会过期.显然,给定的URL不直接与文件名相对应,而是在服务器端进行身份验证,解码和转换.
The user indicates that he wants to stream a file; the app makes an authenticated, encrypted request indicating his desired action. The result is a one-use-only and time-limited URL that is recognized by whatever application or CDN is hosting the file. After the URL is used once (i.e. by the flash app) it then expires and can never be used again. If the streaming does not start within a given amount of time (several seconds), the URL likewise expires. Obviously the URL given does not directly correspond to the file name, but is instead authenticated, decoded, and translated server-side.
解决起来仍然不是没有可能,但这是相当困难的.
It's still not impossible to work around, but it's fairly difficult.
这篇关于如何防止用户直接下载MP3的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
