Paid access to streaming videos.
June 25, 2011 7:42 PM Subscribe
What is the best way to deliver streaming videos to paying customers?
I need to stream videos (not live- but I'd rather not go with a download model) to customers who have paid either for the individual video, or a subscription of some sort.
I will probably use a CMS of some sort for the site- Joomla or Wordpress.
What's the best way to do this? I have plenty of experience with the CMS, but none with e-commerce or restricting access to media.
Do I embed the videos in pages, and restrict access to the pages? Or somehow some other mechanism?
Also, I've heard that Amazon's cloud service is great for hosting media files. Would it be simple to integrate videos from Amazon's cloud into such a system?
Any tips or starting points would be greatly appreciated.
Thanks!
I need to stream videos (not live- but I'd rather not go with a download model) to customers who have paid either for the individual video, or a subscription of some sort.
I will probably use a CMS of some sort for the site- Joomla or Wordpress.
What's the best way to do this? I have plenty of experience with the CMS, but none with e-commerce or restricting access to media.
Do I embed the videos in pages, and restrict access to the pages? Or somehow some other mechanism?
Also, I've heard that Amazon's cloud service is great for hosting media files. Would it be simple to integrate videos from Amazon's cloud into such a system?
Any tips or starting points would be greatly appreciated.
Thanks!
Ugh, forgot to close me
posted by Brian Puccio at 8:18 PM on June 25, 2011
ol tag. Wish there was an edit function here.posted by Brian Puccio at 8:18 PM on June 25, 2011
The route you take will depend on how badly you want to prevent people from being able to get the videos without paying. For example, this:
Do I embed the videos in pages, and restrict access to the pages?
...would work but since you're not actually protecting the asset (the actual .mp4/.flv file), someone who paid could extract the URL to that asset and give it so someone else who could just download it directly; they wouldn't need access to the embedding page. Maybe that's fine with you, because it's really simple to implement this solution and maybe it's not worth the hassle.
If you do want to prevent this, there are various steps you can take. You can require some kind of access key in order to access the asset URL; this could be a URL parameter or a cookie value. The asset would then be served by a script that first looks up that key in a list to make sure it's valid, and only then does a sendfile()/passthru() to serve the asset. You have to implement some kind of system where the valid keys are aged out, either by time, by number of downloads, or by IP address. Here you have to make tradeoffs based on customer feedback. For example if you let a key be valid only for one download then maybe the person starts to watch the video and then their browser locks up, and they restart and come back and can't view it again and you get a pissed off email saying they paid for something that they didn't receive. So maybe you make each key valid for 3 hours or 5 downloads, and keyed to the /24 of the original requesting IP.
Another approach is to make the URL to the asset something that's harder to download, such as rtmp:// or rtmpe:// instead of http://. The upside here is that it's harder to get the content because you have to resort to specialized tools like rtmpdump or stream recorder software. But the downside is that you can't serve this from a plain web server any more, you need a streaming media server of some kind like Adobe's Flash media server product. Sometimes just being rtmp:// is enough to thwart people from figuring out how to download the stream, but you can combine this with unique tokens or other access controls if you're paranoid. A lot of the big streaming companies like Ooyala or Brightcove send the actual rtmp:// url in a response packet that is encrypted with a symmetric cipher like blowfish, and the decryption key is embedded in the flash player. This means that someone snooping the net traffic can't find the rtmp:// url.
Clearly however no solution is going to be 100%. It will always be possible to use screen recording software and the like to capture and share a video, even if it's not practical to just download the stream in its original form.
posted by Rhomboid at 8:44 PM on June 25, 2011
Do I embed the videos in pages, and restrict access to the pages?
...would work but since you're not actually protecting the asset (the actual .mp4/.flv file), someone who paid could extract the URL to that asset and give it so someone else who could just download it directly; they wouldn't need access to the embedding page. Maybe that's fine with you, because it's really simple to implement this solution and maybe it's not worth the hassle.
If you do want to prevent this, there are various steps you can take. You can require some kind of access key in order to access the asset URL; this could be a URL parameter or a cookie value. The asset would then be served by a script that first looks up that key in a list to make sure it's valid, and only then does a sendfile()/passthru() to serve the asset. You have to implement some kind of system where the valid keys are aged out, either by time, by number of downloads, or by IP address. Here you have to make tradeoffs based on customer feedback. For example if you let a key be valid only for one download then maybe the person starts to watch the video and then their browser locks up, and they restart and come back and can't view it again and you get a pissed off email saying they paid for something that they didn't receive. So maybe you make each key valid for 3 hours or 5 downloads, and keyed to the /24 of the original requesting IP.
Another approach is to make the URL to the asset something that's harder to download, such as rtmp:// or rtmpe:// instead of http://. The upside here is that it's harder to get the content because you have to resort to specialized tools like rtmpdump or stream recorder software. But the downside is that you can't serve this from a plain web server any more, you need a streaming media server of some kind like Adobe's Flash media server product. Sometimes just being rtmp:// is enough to thwart people from figuring out how to download the stream, but you can combine this with unique tokens or other access controls if you're paranoid. A lot of the big streaming companies like Ooyala or Brightcove send the actual rtmp:// url in a response packet that is encrypted with a symmetric cipher like blowfish, and the decryption key is embedded in the flash player. This means that someone snooping the net traffic can't find the rtmp:// url.
Clearly however no solution is going to be 100%. It will always be possible to use screen recording software and the like to capture and share a video, even if it's not practical to just download the stream in its original form.
posted by Rhomboid at 8:44 PM on June 25, 2011
« Older How do I find those hard to find Windows files? | Graduating, and not sure of the next steps Newer »
This thread is closed to new comments.
posted by Brian Puccio at 8:18 PM on June 25, 2011