We have made a silverlight application where users can preview audio files from their browser from the telerik radmediaplayer control.
The files are on a webserver and anyone who sniffs the trafic can download the file.
We would like to prevent non-logged-in users from accessing/downloading these files.
Besides providing the application with some sort of temporary valid url and implementing a custom httphandler… what are our options?
It’s not too big of a problem if our customers can download the files, we just don’t want the rest of the world to also have access.
Any ideas would be more than welcome!
[Update]
The only thing I can come up with is:
- host the files in a non-public folder
- if a user requests to prelisten a file, copy it to a public folder under a new name ([guid].mp3) and return it’s url
- every x minutes clean the public folder.
Don’t let the web server serve up the files straight out of a directory. Put part of your application in front, and left one of your server-side scripts serve up these files. Keep the raw audio files out of the web root.
For instance, your client-side application would access files like so:
The code at
yourscriptwould verify the session data, ensuring that a user is logged in, would then go figure out the real path to asset ID12345, and echo its contents to the client. Don’t forget to include the properContent-Typeheader as well.Once the accessing of these assets is under your control, you can implement whatever security measures you like. If your sessions area already pretty well safe-guarded, this should be fine. I would also recommend implementing sane quotas. If you get 100 requests on an asset using the same session ID from multiple IP addresses… something isn’t right.