There's a few threads over on the jPlayer Google Group about this, but File above web root? has the most useful information.
I think we can implement something similar to this. My initial research / thoughts are:
- The filefield (or site file system in Drupal 6) would need to be set to Private.
- In hook_file_download(), we can compare the timestamp to the current time, and allow access if the time passed is less than some specified period (like 5 seconds).
- If the timestamp isn't present or if it's expired, we can deny access. The 403 could be logged to the watchdog, or perhaps even a separate table for authenticated users. That way, should be easy to track users who are attempting to download the file directly.
I need this for Drupal 6, but I might write it for D7 first and backport. I'm filing this against 7.x-2.x due to #1173678: Add 6.x-1.x-dev release.