I really like the way other streaming apps secure the music. They will put the music in folders that are below the root folder. They then link to the music through the database, instead of directly to the music. This way a song can be something like www.mywebsite.com\\song.php?id=1000&ssid=4235435234534&type=mp3 This is great because you can't just scan a website for all the links to songs. A few even take this a step further and add a SSID (session ID) to the url. This way the songs can have a static location, but the ssid in the url will be dynamic. Allowing the urls to the songs to not be direct linkable. The urls can then be set to expire after any given time. ie, I could provide a playlist or song that is only accessible while the user is logged in and only accessible for 2 hours. When the user logs in again next, the url will auto update with a url that has a valid ssid.


I have recommend this a few times in the past, over a year or two ago. I am not sure if germi has considered this or worked on anything along these lines.

Hmm, if I get some free time here soon, I will see if I can write up some documentation on some simple steps to secure ones MC setup. I am a little bit wary on doing so as not only can it be helpful to secure ones site, it can also be helpful for one to gain access to ones site for those that do not take proper steps.

I noticed you have implemented a few things such as locking down certain page types from being displayed to non logged in users. Though there are quite a few other ones that are even more important. For example you have protected some of the pages that are not quite as important, but left open to the public ones that actually contained the information I would assume you want hidden, such as file names and locations. Took only a few seconds to be able to view all 757 songs.

I strongly believe that MC needs to lock down how songs are accessed first, but at least in the mean time there are a few things we can do to at least lower unauthorized access to the music. Unfortunately this is why I have only used MC on sites that I have legal rights to distribute any music that I have hosted on them. I would love to use MC as a personal streaming server, but I can't take the chance of my legal personal collection being publicly accessible and getting sued by the rights holders for unintentionally distributing to others.

indeed, the only way is to protect the song through a script and user the session ID or similar.

the problem with this is that these systems require what is called a "pseudo-HTTP streamer" that are not "incredible stable" systems. they do not always work perfectly.. that's why I never decided to make this official. sorry, @greengeek.

BUT, I have a beta development using this that I made a few months ago.
for now, I won't make this public.
but if you guys want to try it, I an provide this to you (actually I'm already working in another beta thing with @maxpower as we speak...)

I would be happy to beta test it.

I am not sure what a pseudo-HTTP streamer is, but I have been using ampache for many years and it works with no problems streaming music. I never had any problems with it being stable and it is all in php and runs off an apache webserver much the same way MC does. It is open source and may be worth looking at how they do it at ampache.org

They are setup more so as just a personal streaming portal and not a full blown cms like MC is. Very simple gui with no additional information displayed. Plus it is stand alone with no joomla integration. With MC, I really love the look and all the additional information I can add to an artist, album, or song. Plus the way I can easily incorporate it into my website. If you could take a page from ampache for how they deal with their streaming, playlists, and advance search, I think MC would be even greater than it currently is

Hi give your email ID plessssssssssss

Hey germi, did you have a chance to send a beta invite on this? I would love to try it out! :cheer:

not yet - but I have you on my mind I know you and @maxpower want to try this, but now I'm a bit busy with the new version and the J 3.0 compatibility!!

Will Music Collection still work if I move the songs folder below the web root?

Has anyone tried?

hello,

it won't work because songs are accessed through URL.. so no, they won't work with the current system I'm afraid...

Can a mod rewrite in htaccess prevent file leeching? Or will that also not work for the same reason?

the problem with that solution would be that songs would not be playable with the player (only downloadable), because the htaccess solution would block the downloads, but also the player from accessing the file. do you know what I mean?

This is the only barrier to me purchasing a full copy of this software.

I need to be sure that uploaded music by my users can be played but not "leached" from the server.

I also cant find where users can disable the download button, some content providers may wish to allow a download but others may wish to prevent it, is this possible ?

- If it is not possible to "secure" the MP3 away from trawlers by serving them from below the root http//, can you explain how the files are named and saved on the server. If I can't block people from creating direct links to mp3's on the server I would like to make them hard to use.

Suggestion -(you may do this already)
can I use the database to assign a random 32-bit Hex name to the file.mp3 and each album folder, in order to make the files harder to identify. By doing this one would need to know the exact HEX key for the folder and file, and what this relates to in my DB.

hello,

the download button can be activated/deactivated, yes.

there's no way to REALLY secure a songs path. that can't be done.
what can be done is try to put some extra "barriers". the key concept is this: if something can be PLAYED, then there will always a way to DOWNLOAD it. in other words, if the player can access it, then the user can access it as well. that's the "Golden Rule" if you want

how to "make things harder": well, the way is to stream the songs thru a script (something called an HTTP Pseudo Streamer), so the song link is not "direct" (i.e., mysong.mp3) but it's something like...: "?view=song&id=234". this allows for the songs to be OUTSIDE site root as well. the path still bring to the song (so it can be downloaded), but it's 1 step more complicated.

furthermore: how to prevent "hotlinking": adding a variable in the song (like the session ID) path. for instance: "?view=song&id=234&session_id=OIUSKJf938234SKKJf9e"
if you copy/paste a link like this outside your site, then if someone tries to access it directly, he won't be able because the session ID is unique. do you know what I mean?

of course, the user can then go to the site and he will obtain "his" session id, and be able to download. but at least, hotlinking would NOT be possible
that's 2 steps harder

in any case that's what I can think out of my mind, this is not implemented in Music Collection...

that's actually even "1 step further" your suggestion (random 32-bit hexcode)

If your site uses any type of naming convention for your song files, once a song if found and hot linked once, its pretty much over. The music sharing sites out there will eventually get you. All they have to do is find the mp3s in your folder directory. I was being spammed by China all day long.

I was using an older version of MC so maybe there is a solution now.

to clarify my suggestion

instead of having a folder with 100's of mp3's in it (with logical names based on the users file names)

could your system create a "user" folder with a random number name

and "rename" mp3's after upload to a Random Number too

then use the database to recover the names and folders / album info etc

I see what you mean (that's actually much easier)
what you ask for is not an out of the box feature, but to implement it should not be too hard.

Germi

Could you help me impliment this.

The idea is that it would make it harder to trawl folders if they are all in random names, and the mp3 files will be harder to process if they have non-decsriptive titles. Each folder can have a blank .php index page and a blank .html page to further prevent discovery.

I don't think this will affect SEO either because the html will be served/displayed with all the valid titles and text when the file is retrieved.

yes we can help you in the right direction. (are you a programmer?)
otherwise, if you're not, we can do this modifications for you with our custom coding service.

Germi

I'd like to throw my question in the mix on this. I need to first state that I am not a programmer.

Could you put the "music folder" under the /administrator section within Joomla to prevent hot linking? I fully understand the "Golden Rule" but as MC resides within the same "system," is it possible to allow the player to access this content with some known factor within the system?

I have another component that allow's downloads and it secures these files behind the administrator folder (along with other security factors I am sure).

I am quite nervous about the security of the music now, after reading through this thread.

putting the songs folder into /administrator won't really change things. if you have another component allowing downloads with this method it means that probably the folder contains a .htaccess blocking direct download, but the principle is the same as exposed below. the only way to prevent hotlinking is using a script...

Michael if you want to discuss this further you can contact me by email.

Thank you.

hello
I wanted to see if there is already a solution to this problem? I am developing a new project for this component. Direct links to media files could not hide. I would be very happy to help. Thanks in advance to all