HTTP2 CDN
12 Nov 2018

Protecting CDN Content with Token Authentication and URL Signing

Token authentication and URL signing are technologies which help you secure your CDN content. Using these authentication solutions, you can ensure only legitimate users or services are authorized to access and download the content you have placed on your CDN. Typically, web asset administrators use this type of solution to prevent the hotlinking of material, in which a third-party site or service uses your web assets without permission. This unauthorized access can result in your CDN costs increasing or could violate any copyrights you may have on the content you share. URL signing and token authentication are intertwined when it comes to securing CDN content. Consequently, understanding how each component works can help you implement the relevant security you need.

The Evolution of Token-Based Authentication

Token-based authentication solves the issue of state when authenticated users access a website or web service. Since HTTP is a stateless protocol, each time a user issues a request to a web server, the server sees this as a new session. The manner in which HTTP manages sessions in this stateless manner is problematic when dealing with users who need to remain authenticated.  If there is no session management, each time a user submits a request, the user would need to re-enter their login credentials.

In the past, session-based authentication solved this issue. The server would create a session for the user after the user had successfully logged in. It would accomplish this by creating a session id which would store the relevant information in a cookie on the user’s browser and in the server’s memory. Each time the user made a request to the site, the session id would be sent along with it and compared to the session id on the server which solved the issue of state. However, as more users started accessing the same website, servers needed to manage the sessions of thousands or even millions of users. This influx of traffic resulted in scalability issues as web servers required an inordinate amount of memory to cope with managing millions of sessions.

Resolving the stateless nature of the HTTP protocol and the scalability issue of session-based authentication required a different approach. One where you could utilize the stateful nature of session-based authentication while not impacting server resources with excessive memory consumption. The creation of token-based authentication was the answer. It uses tokens which are similar to the cookies used in session-based authentication. However, unlike cookies which rely on a server to retain state, tokens are stateless, so there is no impact on server memory resources.

A token-based authentication typically follows a five-step process. The first step in the process requires the user to enter their login credentials which are then verified by the web application. Following the successful authentication of the user, the server signs a token and stores it on the user’s local device. Every time the user makes a request which requires authorization, the token is attached to it, and the server then decodes and verifies the token. If the token matches, the application grants the access needed to the web asset. Finally, once the user logs out, the token is destroyed.

There are multiple benefits in using token-based authentication for managing access to web applications. As mentioned, tokens are stateless which resolves the scalability issues which plagued session-based authentication solutions. Furthermore, the token issuing process can be decoupled from the server or web application. This feature means you can issue a token using a separate server or even a third-party authentication provider which further improves the scalability of this solution. Finally, token-based authentication also allows for fine-grained access control. You can specify user roles and permissions and explicitly state which resources the user can access which is far more practical than cookies which only store the session id.

URL Signing with Tokens

URL signing uses token-based authentication to protect web assets by appending a key, which is effectively a token, to the URL sent to the authorized user. Over and above its function as an authorization solution, you can configure URL signing to have additional parameters such as an expiration time or allowed IP address. The ability to set these parameters talks to the fine-grained access control features inherent in token-based authentication solutions.

Typically, content creators use URL signing when they wish to place content on a CDN which should not be accessible via anonymous access. For example, you could put content on a CDN you want to share with someone and secure it using URL signing. Not only would this prevent someone who does not have the URL from accessing the content, but it also ensures only the authorized user can access it.

For example, if you wish to prevent a user forwarding or sharing the URL with an unauthorized user, you could create the relevant URL signing token with a short expiry time of only a few minutes or even seconds. In this way, by the time the URL has reached the unauthorized party, it is no longer valid, and the CDN will not allow access. Similarly, you could also specify the authorized users IP address during the URL signing process, in which case the CDN would only allow access to the content from that particular IP. The converse is also true. If you wish to prevent users from a specific location accessing your content, you could set a denied IP range during the URL signing process which will prevent them from accessing it.

Generating a token that you will use during the URL signing process involves some programmatic coding function which you create by running a script after you have set the relevant parameters. Once the token is generated, you can then utilize it in conjunction with the CDN’s management interface which creates the signed URL for you. Once the URL is created, you can then use it to secure your content.

A Scalable and Secure Way to Protect Your Content

There are many use cases where you would wish to limit access to content on your CDN. Either the material should not be accessible to everyone, or you may have some expiry time frame which you need to enforce. Either way, using URL signing with token-based authentication is a secure, scalable and flexible solution that provides the functionality required to implement any content access restrictions your application may need.