Request locking request-locking
To reduce opportunity for tampering with requests, a simple locking facility is provided.
If attribute::RequestLock is set, a lock value must be appended to the request, in form of &xxxx, with xxxx being a four digit hex value. This hex value is generated using a simple hashing algorithm applied to the modifiers portion of the request (after the ‘?’ which separates the URL path from the modifiers). This must be done after the request is fully http-encoded, but before it is (optionally) obfuscated. After de-obfuscating the request, the server uses the same hashing algorithm on the modifier string (excluding the last 5 characters, which contain the lock value). If the generated key does not match the lock, the request is rejected.
- The Dynamic Media user interface may not show the correct details for the Last Published field. However, this affect does not impact publishing.
- Currently, HLS video streaming does not work when Request obfuscation and Request locking are enabled.
- Currently, some Dynamic Media Viewers do not work when Request obfuscation and Request locking are enabled.
C++ sample code to generate the request lock value:
unsigned int lockValue(const char *str)
{
unsigned int sum = 0;
if (str == NULL)
return sum;
for (; *str; ++str)
sum = (sum*131 + *str) & 0xffff;
return sum;
}
See also section-a6d45406c0354669ac581793e4fa8436
HTTP Encoding, Request Obfuscation, attribute::RequestLock