php dynamic video url

Question

What I am trying to achieve is to create a one-time video link for the user. Ones they watch the video the link expires lets say the link expires in 1h after its original creation.

The problem is how to go about it. I can use mod_rewrite to dynamically pass values to PHP and SQL

So lets say

mysite.ltd/get_video/Jn12lM2NMZ21oMW312/11111111/The-Amazing-Spider-Man.mp4

Breakdown: get_video is get_video.php, Jn12lM2NMZ21oMW312 is a temporary token and 11111111 is a time stamp, The-Amazing-Spider-Man.mp4 is the file name.

Based on my conclusion the token + time stamp would be generated on video page visit and inserted into SQL, if the user shared the video link others wont be able to access it as it would fail on token validation which is get_video comparing hashed IP of current user and to the hash token in SQL.

This is my view on how to do it, but I was wondering if any one got a better solution.

Answer 1

You do not even need to save the token and timestamp. What you want is a hash of the user's IP address, a timestamp and some nice long secret salt (preferably generated uniquely for every user):

$token = somehash($ip_address . $timestamp . $secret);

$url = 'http://xxx/' . $token . '/' . $timestamp . '/filename';

Once the user visits the URL you replay the hash with the user's data. If equal and the request didn't expire, yet, serve the video.

Answer 2

You got that part with tokens right. Token should be valid only for current session, or if this link is used for streaming video on same page, just generate token for each request. for generating safe tokens you can use some secret salt variable which I prefer to store in your config.php, basically any framework got salt generated for you..

usually you store video/file name with ID in database. so construct file path, validate token, you can force download with headers and readfile() checkout out first comment, lot's of code in there. in that way nobody will know location of your file.