Web tier: servlets, JSP, Web frameworks: Securing file downloads?
What are some of the possible ways to secure file downloads, apart from using basic/form authentication?
Bassically, I would like to expose my mp3s through my flash player only. The player is embeded in a jsp page which pops up when the "play" button is clicked.
If a "client" tries to access the mp3 file by typing it's URL in the browser, the server should reject the request!
I was thinking to check the referer, but that didn't work... Maybe create a random link? At the time of request generate a unique folder place the mp3 in that folder and stream it! Remove the folder after a while? Seems overkill and therea quite afew things to consider!?
Why not check the referrer? or use a servlet to pull the information, and check for some encoded value? I'd suggest using POST for that, actually, although these still aren't "secure" - anyone with a traffic sniffer or proxy (Parosproxy is a good one, for example) would be able to see it.
Another idea is to have a token built in the session that represents the MP3 in question. This token would expire after the session, and the mp3 servlet would look up the MP3 by token - that way, nobody would ever see the actual filename of the MP3, only a short-lived token.
I tried reading the http_referer var and got nothing...
As for the session var does it require a loged in user or can I create the token like that? Also I have 100s of mp3s and they are volatile, bassically I have musician who can uplaod and manage there own mp3s edit delete them etc...
You have any resource concerning a session token implementation?
See this for example:
you can create a secure links for your users