Securing Videos

Hi –

I’m confused. I’ve searched a whole bit and looked at http://www.s2member.com/kb/jwplayer-s2stream-shortcodes/ a few times… It is not clear to me how to secure videos from download when using s2member and JW Player. Is this possible? I believe so.

When I put this s2stream shortcode in a page

[s2Stream player="jwplayer-v6" player_path="/jwplayer/jwplayer.js" file_download="access-s2member-level1/s6p1.mp4" download_key="yes" player_key="MY-PLAYER-KEY" rewrite="yes" /]

it generates this code line

sources: // Available sources.
						[
							{file: 'http://www.MYDOMAIN.org/wordpress/wp-content/plugins/s2member-files/s2member-file-download-key-a8907f3ea4d69f0b00f80a9164c3276a/s2member-file-stream-no/s2member-file-inline/access-s2member-level1/s6p1.mp4'}
						]
				}],

If the user is logged in to the website, they can simply go to the file URL shown above in a new browser window / tab and download the file if they remove a portion of the URL. (I won’t write that here, if you need to know which piece send me a private message.) The video is then served up and you can right-click to save it.

Also, what is the function of the download_key in this configuration?

So, what settings or other steps should I take to prevent this? I’d prefer a full self-hosted setup but if S3 Cloudfront is the only way to solve it so be it. (Assuming it is not too expensive.) Or is there a way that the downloaded file becomes useless in a settable period of time?

Thanks,

Ira

Hi Ira.

The files protected by s2Member are only available to those with the access to them. In your example, the file is protected at Level 1, meaning that only those logged in to your site with a Level 1 or higher account will be able to access it. Level 0 users or guests, won’t be allowed to download it. [hilite path]Dashboard -› s2Member® -› API / Scripting -› Custom Capability and Member Level Files[/hilite]

Now, adding the download key makes the file downloadable by anyone. Is there a reason why you’re adding the key there? If not, you should remove it. You can read more about the download key here: [hilite path]Dashboard -› s2Member® -› Download Options -› Advanced Download Restrictions[/hilite]

It is possible that when you tried the URL alone you were able to download the file because it has the download key, or because you were logged in to your admin account. Make sure it doesn’t have the download key and you’re logged out, and see if you can download the file then.

Amazon services are not expensive and improve delivery of the files.

These videos may interest you:
Video » s2Member (File Download Options)
Video » s2Member® File Downloads (Amazon S3/CloudFront/JW Player)

Hi Cristian,

Thank you for the clarification on the download key, I was confused about the functionality there.

s2member does control access to the file depending on if the member is logged in at the right level. What I would like to prevent is to keep the MEMBER who can view the video via JW Player from downloading the file itself. I realize that this may not be 100% achievable. However, I would prefer it to not be so easy as to grab the URL from the page source which is currently the case.

Yes, Amazon may be an option which I am researching further. But is there a simple way of hiding the URL of the source file as a starter? Or is there a way to make the video (in the file) unplayable after a certain time?

Thanks,

Ira

Yes, Amazon may be an option which I am researching further. But is there a simple way of hiding the URL of the source file as a starter? Or is there a way to make the video (in the file) unplayable after a certain time?

I’m unaware of any way to hide the URL to the video, but I can tell you that the best way to extend the amount of control that you have over the restrictions that Users must meet is by wrapping your Downloads and Video Players with Shortcode Conditionals (or occasionally PHP Conditionals, depending on how advanced you’re getting).

See: Knowledge Base » Simple Shortcode Conditionals

Bruce,

Thanks. I understand the use of conditionals which help restrict who can get to it in the first place.

And thanks for the update on not being able to hide the URL. So this points to Amazon Cloudfront as the way to go then… I’d suggest an enhancement request for either obscuring the URL further or perhaps a one time URL if the player can’t be called without one visible…

Thanks,

Ira

The advantage of the Amazon URLs is that they expire after a while, so the even if the user has the URL, it won’t work past that time. You can learn more about Amazon link expiration here: http://www.s2member.com/kb/amazon-s3-and-cloudfront-link-expiration/