Using Amazon S3 Authenticated URL's

Why use Amazon S3 Authenticated URL's?

OptinPlayer is unique among standalone web video players because it comes with the server-side feature to optionally protect your content from hot-linking with Amazon S3 Authenticated URL's. This is achieved by the use of AJAX technology to allow the web page to communicate with a PHP script included in the OptinPlayer package that generates unique URL's for the video playback each time the page is visited.

Using Amazon authenticated URL's for your video source means that the video URL cannot be copied and used elsewhere, such as in another site (hotlinking). That's because it expires a set time after it has been generated - long enough for a visitor to initiate playback but no longer.

To achieve this OptinPlayer generates a new secure URL each time the page is visited, or refreshed. This must be done on the server and a small PHP script is used to do this. Typically this kind of functionality is only found in subscription services, making OptinPlayer unique in this respect.


Modifying ACL settings for Amazon authentication

Refer to Create an S3 account section 4 and modify the permissions for your video as follows:

Remove the Grantee "Everyone" and under the Grantee "Authenticated Users" ensure that the "Open/Download" checkbox is checked, and save.


Enter your Amazon credentials in OptinPlayer

In the folder "optinplayer" you will see a sub-folder called "php" and in there a file called "utils.php". Open this in a simple text editor and see the section at the top like this:

$accessKey = '87YHJNRTF568HFE45TVN';
$secretKey = 'iUYh6750jmpojiudladurhYFHJJudjlpoi87^frD';
$expires = 300;
$bucket = 'mybucket1';

Enter your Amazon Access key and Secret key as in the example. These keys are provided to you when you sign up for Amazon S3. The expires time is set at 300 seconds by default, and can be left to this for most purposes. For testing (see below), you can set it to something shorter, say 30 seconds, but don't forget to change it back. Finally enter the name of your bucket.

When you are done, save and upload this file to your server into the correct optinplayer folder.


Setup OptinPlayer

In your OptinPlayer code add the following option somewhere:

'S3auth' : true,

And change the video URL to contain only the name of your video plus extension, for example:

'flash' : 'myVideo.flv',
'html5' : 'myVideo.mp4',


Testing the secure URL

You will need a developer tool such as Firebug (for FireFox) to obtain the actual URL used for the video. In Firebug, click on the "Net" tab and refresh the page. You will see the URL used for Amazon authentication, and can right click and copy it. It will look something like this:

http://mybucket.s3.amazonaws.com/player.flv?AWSAccessKeyId=87YHJNRTF568HFE45TVN&Expires=1369670881&Signature=mUumvFkHkfVICva4p50oU4Bz4kw%3D

Paste that URL into a new tab in your browser and load it. Do this within the expires period you have specified above. Within that timeframe you will get a prompt from the browser to download the file, which simply means that the authenticated URL is working ok.

Now wait until the expire time has passed and refresh the page. Instead of a download prompt you will something like this:

<Error>
<Code>AccessDenied</Code>
<Message>Request has expired</Message>
<RequestId>E3C974153E087519</RequestId>
<Expires>2013-05-27T14:48:17Z</Expires>
<HostId>tcakBKPmJjI0h69idv2ktLXyb2I7e5dQ5yxSYXMFpM+JliNfvQdsihXrRSBaonID
</HostId><ServerTime>2013-05-27T14:48:22Z
</ServerTime>
</Error>

In other words, the request is not valid because it has timed out.

Note that once the playback of the video has begun, this timeout is unimportant, the video can be as long as you want. It is only the time from URL generation to the actual request that is measured.



Back to top