Best practice to prevent sharing page url - wordpress

Looking for some strategy here. We have a secure (subscription-based) website that points to another website for streaming video. Currently, a savvy user could potentially share the link to the streaming page thus bypassing the login. Looking for ideas on how to:
Prevent sharing the link
Cloak the link...or
Make the link from the origin page point to a dynamically-generated URL that can only be visited once.
Thanks in advance!

Unless there is a form of streaming the video from the third party to your application (by streaming I actually mean sending the video in chunks of data to your backend, assembling them back together, and serving the actual assembled video as if it was hosted directly on the same host as the web application, I have personally done this using Amazon S3 for my open-source subscription-based CMS called phpReel) I don't think you can securely do this.
If you do want to go down this route please note that it might get expensive if you have a lot of active subscriptions but if you are interested you could check out these files as they showcase how I have done it for phpReel. I am afraid though that you might need a developer for this job.
On a more optimistic note, may I ask what service do you actually use to stream your videos? For example, Vimeo with the cheapest paid plan offers an option that restricts access to your video outside a specific domain name. Meaning you can set that your videos must be streamed only on domain.com, and thus they will be accessible there and only there.

Related

How can I make a direct person-to-person chat widget for my website that doesn't use server resources?

I would like to add live text chat to my website, but without using too many server resources or a third party application. I'm not concerned about keeping a chat log/history at this point. How would I go about making a website chat widget (preferably WordPress friendly) that would only use server resources to establish the initial connection between 2 logged in users, but that would essentially let them chat live without relaying the message through my server? Is this technically feasible? Does a product like this exist already? I've searched could not find any one-time-fee live chat solutions that don't route through my server or through a third-party server.
This has been addressed here, but that is from 2011/2012.
A quick googling seems to suggest WebRTC might be a good choice for this sort of thing.
A few more minutes of research yields this, a javascript library for working with WebRTC.
Even better: here is an example of a php chat server using WebRTC. This is probably what you'll want, seeing as WordPress is PHP.
Hopefully this is enough info to get you started. Good luck!

PHPMotion implementation - URL based videos (Hosted on separate location)

I have to implement a video collection website for users of a specific ISP. The site will be hosted on a public web-server but all the movies will be hosted on local ISP server. The user of that ISP + general visitors can see the available movies; but only ISP's users will be able to play them.
The player on site will point to URL of a local machine (http://192.x.x.x/movies/mymovie.mov) this private class (192.x.x.x) will only be accessible to ISP user.
Question: Is it possible with PHPMotion script? or I need to do custom work.
If possible, can someone please suggest available MODs?
PHPmotion would require some modifications to be able to handle something like this. Uploading, conversion, thumbnail generation, and playback are all pretty static in PHPmotion.
Really though, rather than modding the entire upload and conversion process, if you created a quick custom form to add entries to the PHPmotion database (maybe include thumbnail upload), then tweaked the playback paths, you should be good to go on the PHPmotion side of things. This would assume that you already had your videos in a format that the player could handle (such as flv or mp4).

What I need to know to do asp.net streaming

I have an thing to create Internet shop to sell video views. And there are some rules, which I don't know how to do. The rules is:
Loggined client can only view one video 3 times per day.
I read somewhere that I need to generate virtual links to video and server must hold it, for example, 3 hours OR until client looked up to the end the video, and then delete this virtual link and refresh player state to "start video position and waiting for start". Like on youtube but client shouldn't have a way to rewind the video.
I need to hold situation that client who buy 'video01' give another client him page address or all attributes data from player tag. If second client don't buy 'video01' he shouldn't load it. (I think it's can be solved by cookies).
After 180 video views, client's subscription must be stopped.
And finally question from me is how to play video from my website? Can anyone explain me how to make asp.net site with rules that I wrote the above? What technology I need to use?
I will be grateful if someone advise me a literature that I need to read to know how to do this? Perhaps for a start I need to know how to play video on asp.net webpages.
What free flash player I should use for my solution, any examples please? Really need help.
P.S.: I need to use a free flash player to play videos, not silverlight.
The videos are on the remote servers, not on the local server where I hold the site.
To limit the video as per your requirement you need to use GenericHandlers in asp.net. It must be designed in such a way that the url must expire after reaching the above condition.
For Example, you can generate a random key that should append with the url (ie, QueryString) and store it in Database along with the time of generation. You can make the key expire after 3 hours then.
To play the video on your website you can add jQuery plugin videojs. The documentation will help you to add that simple HTML5+Flash video player.

Check if anyone is currently using an ASP.Net app (site)

I build ASP.NET websites (hosted under IIS 6 usually, often with SQL Server backends and forms authentication).
Clients sometimes ask if I can check whether there are people currently browsing (and/or whether there are users currently logged in to) their website at a given moment, usually so the can safely do a deployment (they want a hotfix, for example).
I know the web is basically stateless so I can't be sure whether someone has closed the browser window, but I imagine there'd be some count of not-yet-timed-out sessions or something, and surely logged-in-users...
Is there a standard and/or easy way to check this?
Jakob's answer is correct but does rely on installing and configuring the Membership features.
A crude but simple way of tracking users online would be to store a counter in the Application object. This counter could be incremented/decremented upon their sessions starting and ending. There's an example of this on the MSDN website:
Session-State Events (MSDN Library)
Because the default Session Timeout is 20 minutes the accuracy of this method isn't guaranteed (but then that applies to any web application due to the stateless and disconnected nature of HTTP).
I know this is a pretty old question, but I figured I'd chime in. Why not use Google Analytics and view their real time dashboard? It will require minor code modifications (i.e. a single script import) and will do everything you're looking for...
You may be looking for the Membership.GetNumberOfUsersOnline method, although I'm not sure how reliable it is.
Sessions, suggested by other users, are a basic way of doing things, but are not too reliable. They can also work well in some circumstances, but not in others.
For example, if users are downloading large files or watching videos or listening to the podcasts, they may stay on the same page for hours (unless the requests to the binary data are tracked by ASP.NET too), but are still using your website.
Thus, my suggestion is to use the server logs to detect if the website is currently used by many people. It gives you the ability to:
See what sort of requests are done. It's quite easy to detect humans and crawlers, and with some experience, it's also possible to see if the human is currently doing something critical (such as writing a comment on a website, editing a document, or typing her credit card number and ordering something) or not (such as browsing).
See who is doing those requests. For example, if Google is crawling your website, it is a very bad idea to go offline, unless the search rating doesn't matter for you. On the other hand, if a bot is trying for two hours to crack your website by doing requests to different pages, you can go offline for sure.
Note: if a website has some critical areas (for example, writing this long answer, I would be angry if Stack Overflow goes offline in a few seconds just before I submit my answer), you can also send regular AJAX requests to the server while the user stays on the page. Of course, you must be careful when implementing such feature, and take in account that it will increase the bandwidth used, and will not work if the user has JavaScript disabled).
You can run command netstat and see how many active connection exist to your website ports.
Default port for http is *:80.
Default port for https is *:443.

confused about webservice AJAX calls security in ASP.NET

excuse me if i will sound little stupid but this thing had confused me to the core and i have been searching like crazy on net with no ultimate answer so i hope some one would shed more light on this matter.
now i wanna create a portal site and my client require that everything should be AJAX'ed so i have been playing with ASP.NET AJAX 4 and client site templating and web service, and of course the performance is great with JASON results, but my web Service code will be Public because anything available to JAVA script is available to anyone so as i read to avoid this i must :
use SSL but this is a portal site and front end should not use SSL
Authentication, will this is fine but for back-end and not front-end as login is not required.
after reading a lot as i have mentioned, i have come to the following pitfalls when using web service with AJAX and hope there is a solution or at least a way to bring more security
DOS:
i have read some articles that suggest you should throttle using IP detection and block this request for a while but here are some of the things i am worried about
will it affect search engine crawlers ?
will the hacker be able to bypass this by using proxy or other mean ?
Session HighJacking:
this is scary i still don't know how this can happen when you are using ASP.NET membership, i thought it is a pretty solid membership system!
and will a hacker be able to steal someones pass through this method?
a way to hide your code or encrypt it:
i think i am making a fool of myself here because i have mentioned that if it is public to java script then it is public to anyone, but my client would not want people to see the code writing logic and function.
Hide Webserivce:
like if you use fiddler you can see in the RAW data the path to for example www.mysite.com/toparticles/getTopArticles(10) again this scares my client and i have tried to disable WSDL and documentation in webconfig but this only blocks direct access to the file and nothing more or am i wrong! is there a way to hide the path to web service?
so all in all my top concerns is to prevent hammering any of my web services and hide my code as much as possible.
so am i to paranoid as on the front end i am going mostly to be pulling Data but again i may give user the option to save for example his widget preferences in DB, etc... and it is not gonna be through SSL thus the above security threats are valid.
i hope some one can also share his experience on this matter,
thanks in advance.
Any functionality exposed on the web is going to be, well... exposed on the web. Even if you were using pure ASP.NET with postbacks, sniffers can see the traffic and mimic the postbacks, Ajax just takes that to its logical extreme. Webservices are (for the most part) just like any other get/post system (RESTful or not).
There are some methods that you can use to secure your webservices from unauthorized access, but in truth these are the exact same things you would do to secure any other site (asp.net, traditional web, etc).
There are lots of articles all over the web about how to secure your website, and these will apply equally well to AJAX, Webservices, etc.
If you are really concerned about your webservices being publicly exposed, you can use your own custom reverse proxy to hide the services inside the customers network and only expose the proxy to the outside world. You can then secure the services so they are only accessed through the proxy and provide whatever appropriate security on the proxy you feel relevant. In this way all traffic comes through servers that you specify and is restricted (to a reasonable degree) from prying eyes. In general though I think this might be over-kill especially for a portal site.
One thing to talk with your client about is the upsell value of using webservices as a sellable product to integrators. In other words, designing the security into the webservices and using the portal only as an example of how to put it all together. A clear example of this is SharePoint, which is in truth a collection of webservices and processes and the website is really just for convenience, the power of SharePoint is in the interop of the services.
For more specific answers to your security questions, there are plenty of posts here on SO as well as the web covering each of your specific points.

Resources