Wowza Community

SecureToken - is there any way to force unique "login" authentication

Hi,

Sorry for my previous question - It was misunderstanding of secure token mechanics…

I want to ask, if you have any proposition, how to build access restriction based on SecureToken v2 method of authentication. I want to authenticate my users with our own authentication backend and sign wowza stream addresses for them, but I want to be sure that they are not able to simultaneously access streams using the same credentials.

Can I attach custom authentication data to signed url (for example wowzatokenusername=paluho) and later check on the wowza side if there is running session with given authentication parameter?

Hi,

There isn’t any way to intercept the secure token workflow however, you could check the query params separately to see if they are already being used in another session. If someone tries to change your wowzatokenusername value manually then it would fail the secure token check anyway.

Where you might have a problem is if the user refreshes the player page and restarts it with the same token values. This would create a new session before the old one times out. The normal secure token checks would pass but your username check would fail until the old session timed out and shut down.

Part of the secure token check is the player ip address which must match for the player connection to your web page and for the player connection to the Wowza server. Given that most problems are with users sharing links, this catches most cases. If you need to have a more secure approach then you can use the APIs to create your own solution.

Roger.

Hi,

If the playback user is using the correct playback URL, with the correct security token, then his playback request will be authorized. However, you could restrict the secure token validity to the Client IP. This way, even if the unauthorized playback user is using the correct playback URL, his IP address won’t match the one for which that particular secure token hash was generated.

Zoran

Hello,

Yes, you can develop a custom module to implement this workflow.

Basically you can have the module retrieve the querystring, check it agains a database and if the check returns as expected, you can authotize that particular playback sesscion.

In the “How to do user authentication for Flash RTMP client using JDBC connection to MySQL database” forum article you can find an example on how to do something similar.

Zoran

Thanks a lot Roger for your answer!

I’ve got additional question:

Is it possible to create a module (or modules - probably separate modules for rtmp, http and rtsp), which when request arrives checks if there is any (http, rtsp or rtmp) other, running session in given VHost, which uses the same wowzatokenusername, and if it exists “kills” this matching session, so there will be only single session allowed with given wowzatokenusername per VHost?

Hi,

If the playback user is using the correct playback URL, with the correct security token, then his playback request will be authorized. However, you could restrict the secure token validity to the Client IP. This way, even if the unauthorized playback user is using the correct playback URL, his IP address won’t match the one for which that particular secure token hash was generated.

Zoran

Thanks Zoran for your answer, but I wonder if there is any possibility to forbid simultaneous connections based on the same “login”. I wonder if it is possible to implement given scenario:

  • our authentication backend checks user credentials and creates signed urls

  • let’s suppose that user “paluh” had authenticated and our system generated urls for him (there is only one custom parameter for simplicity which contains user login):

http://192.168.1.1:1935/vod/sample.mp4?myTokenPrefixLogin=paluh&myTokenPrefixhash=TgJft5hsjKyC5Rem_EoUNPasdfaqVPhhd0GxIcA2oo=

  • assume that user “paluh” is viewing stream using given adress but he has also given rtmp version of signed url to his friend Bob

  • now Bob is trying to access server using*(the same “login” value):

rtmp://192.168.1.1:1935/vod/sample.mp4/playlist.m3u8?myTokenPrefixLogin=paluh&myTokenPrefixhash=TgJft5hsjKyC5Rem_EoUNP7xZvxbqVPhhd0GxIcA2oo=

My question is:

Is it possible to write such, a plugin which will search for every (all http and rtmp and rstp) session (within given VHost or Application) with “myTokenPrefixLogin=paluh” parameter and “kills” such sessions, before it will allow Bob to access the stream?