Hiding your video location with secure streaming Streaming plugin extensions - Demo 7 / 10

Secure HTTP streaming

This demo shows you the theory behind hiding a video's URL. The URL is secured using the secure streaming plugin which is available only for Flowplayer versions 3.1 and above. You can download the free version or upgrade to the latest commercial version of Flowplayer here. The purpose of this demo is to teach you the basics of securing the video path; however, the level of security is not enough here. If you need "real" security, move on to demos farther below.

With HTTP-based security, the trick is to alter the requested URL. This example uses the Extremists.flv video file that can be seen in the page's source code. When the video file is requested, the path of the file is "hashed" and it takes the following format:

/video/027a89fc1b8967ebc564af80c68db0ce/987987987/Extremists.flv

HTML coding

Here you can see the video file name which is visible to the user.

<!-- player container. file name is visible. path will be secret -->
<a
	href="Extremists.flv"
	style="display:block;width:425px;height:300px;"
	id="player">

	<!-- splash image inside the container -->
	<img src="/img/home/flow_eye.jpg" alt="Search engine friendly content" />

</a>

Flowplayer configuration

We need to configure our secure plugin with two important variables: timestamp and token. Both of these variables are used in generating the hashed file path. This simple demo uses a hard coded timestamp value so that the hashed path will not change from request to request. This gives us the ability to demostrate the principles of hashing without any server-side logic.

flowplayer("player", "/swf/flowplayer-3.1.5.swf", {

	// enable secure streaming plugin
	plugins: {

		secure: {
			// path to the latest version
			url: 'flowplayer.securestreaming-3.1.1.swf',

			// a hard-coded timestamp
			timestamp: 987987987,

			// a secure token
			token: 'my-token'
		}

	},

	// make the video clip use our secure streaming plugin
	clip: {
		urlResolvers: 'secure',

		// must be given
		baseUrl: '/video'
	}

});

After this configuration, the actual video URL takes the following format:

/baseUrl/hash/timestamp/streamName

The parts of this URL are as follows:

• baseURL is determined based on the baseURL given in the clip/common clip or in the clip's URL. If baseURL is not explicitly specified, it's the same as the embedding HTML page location.
• hash is calculated as follows: MD5.hash(token + streamName + timestamp) where token is specified in the configuration and should match the value on the server.
• timestamp is a timestamp given as a hex string. This is the number of seconds since January 1, 1970, 00:00:00 in hexidecimal notation. You can calculate this value in the following ways:
  • Java: Long.toHexString(System.currentTimeMillis()/1000)
  • PHP: sprintf("%08x", time())
  If you don't have the ability to calculate this on the page, you can alternatively specify a timestampUrl that fetches the value from the server.
• streamName is the name of the video file, for example, Extremists.flv, flowplayer.flv, or rocknroll.mp4.

The example above will always generate the following URL:

/video/51c3544ac33a24b012ba69bf6349db78/987987987/Extremists.flv

and when we have the directories on the server, the video file can be loaded directly. We have not achieved our goals yet because anyone can copy-and-paste that URL anywhere they want and load the video. The trick is to alter this video URL from request to request and make those URLs expire after a certain amount of time. You can see such a cofiguration in the next demo.