Question
How can I use URL Signing With Cookies Enabled?
Environment
OnApp CDN
Answer
*Please note this feature is currently not implemented in the UI. Please send in a CDN support ticket to request the feature*
Similar to our existing feature URL signing, it protects your files from unauthorized access, but also works along with setting cookies on the visitor's browser. The idea is to get the URL signed before serving the subsequent contents (without token) to end users, by authenticating the requests with a token in a cookie. A cookie can store a maximum of 40 tokens. Enabling this option provides an entry field to enter a secret key to sign any direct URI (Uniform Resource Indicator) link securely to all files/resources under this URL.
The token is formed using the following format:
<expires><path><key><ip>
<expires> : The expiration of the URL. This is in Unix timestamp format. This is optional.
<path>: The file path or file directory **note: for HLS, it is better to put path instead of .m3u8 file, so that all the chunk of the hls will be authenticated as well.
<key>: The URL signing key. Size of the key is between 6 characters to 32 characters.
<IP>: The IPs that allow access. This is optional.
For generating the hash key, kindly refer to the PHP script below:
/** * Generate URL signed CDN resource * * @param string scheme * The scheme for CDN Resource URL * e.g. "http" or "https" * @param string $cdnResourceUrl * The CDN resource URL (without scheme) * e.g. "cdn.yourdomain.com/files/file.html" * @param string filePath * File path of the CDN resource as part of token key * e.g. "/", "/files", "/files/file.html" * @param string $secretKey * The secret key as part of token key * @param int $expiryTimestamp [optional] * UNIX timestamp format, specify how long the url signed link is accessible to the public * By default will be accessible forever. * @param string $clientIp [optional] * Client IP as part of token key * Can be retrieved from $_SERVER['REMOTE_ADDR'] * By default the url signed link is not restricted to any IP * * @return string URL with generated token * URL with designated format to access the resource * * Example: * Generate url signed link for resource https://www.example.com/images/photo.png for next 3 days, assume today is Sun, 01 Apr 2012. * * * https://www.example.com/images/photo.png?secure=kaGd_cu6Iy4LDgfX3jy5Rw&expires=1333497600 * */ <php function generateSignedUrl($scheme="http", $cdnResourceUrl, $filePath="/", $secretKey="", $expiryTimestamp = "", $clientIp = "") { if (empty($scheme) || empty($cdnResourceUrl)) { exit("First argument \"scheme\" and/or second argument \"cdnResourceUrl\" cannot be empty."); } // NOTE: We adhere to ngx_secure_link_module hashing strategy // Ref: http://nginx.org/en/docs/http/ngx_http_secure_link_module.html#secure_link $searchChars = array('+', '/', '='); $replaceChars = array('-', '_', ''); // 1. Setup Token Key // 1.1 Append leading slash if missing if ($filePath[0] != '/') { $filePath = "/{$filePath}"; } // 1.2 Extract uri, ignore arguments if ($pos = strpos($filePath, '?')) { $filePath = substr($filePath, 0, $pos); } // 1.3 Formulate the token key $tokenKey = $expiryTimestamp . $filePath . $secretKey . $clientIp; // 2. Setup URL // 2.1 Append argument - secure (compulsory) $urlStr = "{$scheme}://{$cdnResourceUrl}?secure=" . str_replace($searchChars, $replaceChars, base64_encode(md5($tokenKey, TRUE))); // 2.2 Append argument - expires if (!empty($expiryTimestamp) || $expiryTimestamp === "0" || $expiryTimestamp === 0){ $urlStr .= "&expires={$expiryTimestamp}"; } // 2.3 Append argument - ip if (!empty($clientIp)) { $urlStr .= "&ip={$clientIp}"; } return $urlStr; } ?>