Unprotected access to video file, no login screen

[stanislaw2002 1]

Hello,

I noticed once in Firefox browser watching video, right click on video brings submenu offering various options, including “Copy video location” and “Email video” (Chrome has “Copy video URL”)  Anyway, once you copy the link and email it to anybody they can access the video without authentication. 

Is it possible to change this and make a video more secure?

 

The example of the direct link that bypass user’s authentication:

 

http://myip.address.com:8096/Videos/0582de1364832564a1da425fb501f01d/stream.mp4?Static=true&mediaSourceId=0582de1364832564a1da425fb501f01d&api_key=81c0f4041be1491aa5316052d589c6fd

 

Regards

[trusselo 220]

did not work with chrome from app.emby.com

 

copied video link:

blob:http%3A//192.168.1.11%3A8096/59dd224f-c6ca-4466-94c4-61fa567a4d2c

 

even if you edit out the blob: and edit the %3A to :

copy into chrome incognito window DOES NOT WORK.

 

tried again from localIP (192.168.1.11)

blob:http%3A//192.168.1.11%3A8096/89ec9bbc-99da-4a65-af5f-7ebbad13eeff

edited to

http://192.168.1.11:8096/89ec9bbc-99da-4a65-af5f-7ebbad13eeff

DOES NOT WORK

 

so... maybe firefox is different...

or  there is something different about OP's method.

 

How are you accessing the page?

app.emby.com

localhost:8096/web/index.htm

??

 

EDIT note. when i tired the incognito pages that  "did not work", the original page where I copied the link from had been closed.

tried again, does not work with original window open paused or playing still

Edited August 24, 2015 by trusselo

[Luke 37022]

The url has an access token embedded which means it won't last very long. It will expire immediately just by logging out.

[stanislaw2002 1]

Thank you for an answers,

Trusselo, in my Chrome (Version 44.0.2403.157 m) right click on vide and option Copy video URL works well.  Just to be specific I’m running Emby Server Version 3.0.5607.2 on Synology NAS.  Also, Firefox take a long time before playing the vide (I guess it has to download it all, vs Chrome playing right away)

 

Luke,

I try to access the link form different computer after making sure that the user logout.  I checked Advanced/Security Api key, to make sure that the key is removed after the logout.  Still even without the key you can access the file.  Also, I tried a link that I emailed yesterday and it is still working. 

The second problem as I read from the forum is that; if user is not going to actively logout the Emby server will keep the api key listed forever.  Is it true?

 

I’m just trying to setup a server in my company to host training videos. The problem is that access to those videos base on the department that you work for.  For now, it looks way to easy just to right click and Email the video to anybody.

Any help is appreciate.  I just want to make sure that it is desire behavior,  or it is just me doing something wrong.

Regards

[Luke 37022]

The fact you can use it without the key is only temporary because the old media browser ios app has never been updated to the new authentication.  so the playback and subtitle endpoints don't require a token until our new emby ios app is out and until some grace period has been allowed after that.

[stanislaw2002 1]

OK, thank you for update.  So I will just wait

 

Regards