Securing your content

Pugpig Client will store Edition Credentials Tokens on the device for each edition that it knows it has access to. These tokens are made up of a username and password, and these are sent as part of any request for content. It is then up to your server to ensure you check these credentials are valid before serving any content.

The API Specification response for Edition Credentials also allows the server to specify custom auth headers for the client to send - for example for Akamai Token Authentication.

Note: If a resource is protected and no credentials are provided, the server should send a 403 Forbidden immediately rather than a 401 Authentication Required. This is because iOS, in particular, will pop up a login dialog when it sees a 401, and the end user will have no idea what to do with this. iOS Newsstand downloads also cannot handle a 401.

Using the Out of the Box Credential Generators

Important: If you wish to protect content based on edition ID using this (one-way hash) method, you need to be able to infer the edition ID from the URL for any protected resource.

If you are using one of the out of the box server side credential generators, you’ll need to be able to decode the credentials they generate. These include the Vendor Store receipt validators (iTunes, Google Play, Amazon, Windows, etc) as well as the well known subscription system modules. In all cases, there is a secret shared between the credential generators and the credential checkers. There is a specific format of the credentials - an SHA1 hash of the product ID (or edition ID), the username and the password. The username is random. Example code to generate these credentials:

$sharedSecret ='TOP_SECRET';// Get the secret shared by the credential generators
$edition_id = get_edition_id();// Get it from the query string or headers
$username = sha1(mt_rand());// Random username
$password = sha1("$product_Id:$username:$sharedSecret");

In this case, the logic that checks the code should be something like:

$sharedSecret ='TOP_SECRET';// Get the secret shared by the credential generators
$edition_id = get_edition_id();// Get it from the URL
// Free content doesn't need auth headers
if(edition_is_free($edition_id))return TRUE;

if isset($_SERVER['PHP_AUTH_USER'])
  && isset($_SERVER['PHP_AUTH_PW'])) {

 $username = $_SERVER['PHP_AUTH_USER'];
 $password = sha1("$edition_id:$username:$sharedSecret");
 return($password == $_SERVER['PHP_AUTH_PW']);

return FALSE;

Example code

You can see an example of this in the standalone PHP module available for download.

Security on the Edge

The security check can be implemented using certain accelerators or content delivery networks. See XXX for info on:

  • Varnish
  • Amazon Cloudfront
  • Akamai
  • Fastly CDN




Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Powered by Zendesk