Subscription protection?
What are the best ways to develop a subscription type site that provides content for lessons (like Lynda.com)?
How do you protect content from downloading (audio and video)?
What's the best way to handle passwords? Can a user have a username and password, and have an additional password that is changed regularly and distributed across the site to reduce the number of people using other people's passwords?
How do you minimize people sharing their passwords with other people?
source to share
-
Content protection is pretty simple: just write a page that has access to user / security session data and check if they are allowed to download the requested file. You can do this easily with Java Servlet or any other web framework like ASP.NET, PHP, etc.
-
I would recommend multiple passwords against this technique. It will be a hassle for your clients. It also gives the impression that you are assuming that your customers are trying to cheat the system. Instead, I have to log all user logins as well as user hits for a specific file, and also log IP addresses. You can write code to parse this data and find concurrent logins from different IP addresses. You can also write code to prevent multiple logins.
source to share
You cannot prevent people from copying your content. If you want them to be able to view it, then they will need to be able to download it. If they can download it, they can save it.
I don't want this to seem hopeless, but I'm just trying to be honest here. You could try to find that someone is launching your site spider at their own expense, although this can be a little tricky. Maybe they can load 1 page every 10 or 15 seconds. And limit it to 50 pages per entry. This won't be too noticeable for most users, but it will heavily hold back any automatic spiders the user has tried to do. These numbers may need to be adjusted depending on the type of content you post.
source to share
NOTE. In retrospect, I see a lot of missing details and edge cases to identify. I'm leaving it in this form because I think it's helpful to make it make sense (although the details aren't quite fully formed) so that you can see what you're looking for. You will need to work with the threat model in order for them to line up correctly.
, , (TSL https:), , , - ( ). , .
There is an interesting problem with how the hash (which you accept - you never know the user's password) is set the first time to associate with the user id used with you. You will need something like a unique key provided for the subscription and provided by shaking hands with your email during registration and initially selecting a user ID (if different from your email address) and password.
If you use cookies to avoid re-logging in, you may want to get encrypted / hashed information in the cookie that binds it to the machine as well as the subscription.
Now, having done so much, you have the problem of people wanting to work on multiple computers and also to reset the user's password so they can choose a new one instead of a forgotten / compromised one. Since this means providing phone support and other ways to reconfirm a genuine user, you might be wondering if it's worth it, and if users think it's worth it.
With regard to misappropriation of material obtained from the site, you have a much more complex problem. Encryption won't help, and you often want users to save content for offline use, links while working on the content, etc. What you can do is identify the material as your property and also identify the material as your property and as provided to a specific subscriber in ways where it is difficult to intercept all cases. This is a lot of server side work. Combined with the obvious demonstration of distrust in your subscribers, you can reconsider and work towards having something more trustworthy and, say, providing something of value that isn't just reflected in the content. Are you sure you want to do this?
NOTE 2 If you are doing a particular progression, for example using curricula and lessons, there are obvious things you can do so that if someone joins the group of several people, if they make any progress, they a mess for someone else. The more personalization and progression, the less attractive it is to give the account to someone else. This does not preclude the preservation of the material, but any widespread reuse of the extracted content must be addressed by other means.
source to share