Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

damogran's avatar

Video Streaming Project; Protect Videos

hi there,

i'm working on a project where users can register and watch some protected video content. i had a concept of some sort which worked fine until i tested it with android. so here is my setup

i've a simple blade for my player (using video.js 5)

<video id="div_video"  width="640" height="264" class="video-js vjs-default-skin  vjs-16-9" preload="none" controls poster="/pics/content/{{$vid->filename}}.png" data-setup='{}'>  
    <source src="/content/{{$vid->id}}.mp4"  type="video/mp4">
    <source src="/content/{{$vid->id}}.webm" type="video/webm">
  </video>

$vid comes from a db query, not to important here i guess.

then i have a route for serving the video stream aka the video sources

Route::get('content/{id}.{type}', 'ContentController@stream');

and finally my ContentControllers stream method:

public function stream($id,$type) {
    if (Auth::check())  {
        [...] /* doing some other stuff */
        return response()->download($video_file);
    } else {
        return "NOT AUTHORIZED";    
    }
}

it works quite well on mac, iphones and ipads. then i started testing on android. and it didn't work. after some wild guessing (it was hard for me to debug with an android tablet) i figured that the android browser always gets the "NOT AUTHORIZED" response. for testing purposes i changed that part with return response()->download("some other video"); and it worked. so i don't have an streaming / videojs / mp4 file format issue.

so maybe,

  1. someone sees the problem i'm not seeing
  2. there is a better solution to protect my videos which works on every platform
  3. you guys know a way to debug android devices? something like the iOS simulator part of xcode

how does laracasts protect their videos?

thanks in advance! damo

0 likes
3 replies
MikeHopley's avatar

I can't see the problem in your code. My guess is that, for some reason, your Android device is not maintaining the session. Perhaps it has a "private browsing" mode activated?

Providing video is complex. You are much better off using a dedicated service. Laracasts uses Vimeo Pro, which is also what I would recommend.

Other popular options include YouTube and Wistia. YouTube is free, but the YouTube "experience" tends to capture visitors for YouTube, rather than keeping them on your site. Wistia is like Vimeo, but it has some nice extra features such as video heat-map analytics. Wistia can potentially get very expensive if you have a lot of traffic (for example, if you provide some free videos).

It's possible to go down a more "custom" route. For example, I previously used the Highwinds CDN to serve the video, and Flowplayer as the video player. This provided better content protection (with RTMP, and later HTTP streaming), but it was a huge hassle and the result was patchy. I don't recommend this.

martinbean's avatar

@damogran You’re not really protecting your video content, as if someone uses Chrome’s Web Inspector then they can get the URL of your video content and then save the video file, or pass the URL to friends.

If you really want to protect your content, then you might want to look at something like Amazon Web Services, which you can protect content by only allowing access via a signed URL or, even better, CloudFront, which again can restrict access to pre-signed URLs or cookies. You can also reduce the overhead of loading the video with PHP just to stream it again, by accessing the video file directly (after authentication).

damogran's avatar

@MikeHopley seems you are right and i'm not the only one with this problem http://stackoverflow.com/questions/32181185/php-android-loses-session-and-cookie-information-when-using-embedded-video-play

@martinbean sorry i forgot to mention that the actual video file is not directly accessible meaning it is not inside the webservers docroot. saving the file would only be possible if the users is able to pass the controllers checks (authentication and some other things i check). thats good enough for me since if something is in the internet, it can be stolen. :-)

Please or to participate in this conversation.