I need to know if a user is logged in, and who they are when they request an rtmp stream.
The rtmp server will connect to a php callback page when user connects and will only authorize the stream on a 2xx response.
I thought of this:
<param name="flashvars"
value="src=rtmp://serverip/stream?sid=<?php echo $session_id; ?>" />
I'm using https but the rtmp is not over a secure connection so it seems dangerous.
Perhaps there is a better method?
Send an encryption of the session_id in stead. And decrypt it when the callback occurs, at the PHP side.
To make it extra safe, have the key to your encryption be different every time. For example, have it exist of a static part and a dynamic part (eg user_name). And give along a clue to the dynamic part (eg user_id) along in the flashvars.
Example:
sending the param:
<?php
$static_key_part = "blahblah";
$encrypted = openssl_encrypt($session_id, "aes128", $static_key_part.$user_name);
?>
<param name="flashvars"
value="src=rtmp://serverip/stream?sid=<?php echo urlencode($encrypted); ?>&user_id=<?php echo $user_id; ?>" />
handling the callback:
<?php
$static_key_part = "blahblah";
$encrypted = $_GET['encrypted'];
$user_id = $_GET['user_id'];
$user_name = get_it_from_database($user_id);
$session_id = openssl_decrypt($encrypted, "aes128", $static_key_part.$user_name);
session_id($session_id);
session_start();
// check session here
?>