General
/
Authentication for Cincopa Player
Last updated

Authentication for Cincopa Player

The Cincopa Player provides an advanced authentication feature to secure your content using server-side tokens. This guide explains how to set up and manage authentication for different use cases.

Overview

This feature ensures secure access by requiring a server-side authentication token to initialize the player. The token eliminates vulnerabilities and prevents unauthorized access, such as URL hacking attempts. Here's how to configure authentication effectively:

  1. Universal Application: Authentication applies universally to all players to prevent exploitable loopholes.
  2. Static Tokens: A simpler implementation for environments without backend support.
  3. Dynamic Tokens: A more secure implementation using backend-generated tokens.

Enabling Authentication

  1. Navigate to the Settings Page of your Cincopa account.
  2. Enable the option to secure the player using a server-side authentication token.
  3. Set the secret code that will be used to generate the authentication token on your server. This secret code is also required for validation on Cincopa's side.
  4. For debugging, set the authentication to stage mode before enabling it fully in production.

Authentication Setup

Generating the Token

To generate an authentication token on the server, follow this pseudocode:

FID-Based Token (More Secure)

$fid = "<fid that you use in the embed code>";
$secret = "<your secret code set in the settings page>";
$expiretime = time() + 60; // Token validity period (e.g., 60 seconds)
$rules = 'expiretime=' . $expiretime;
$hash = hash_hmac('sha256', $fid . $rules, $secret, FALSE);
echo "auth=" . $rules . ';' . $hash . "\r\n";

Static Authentication Token (Account-Based)

For environments without backend support, generate a one-time static authentication token:

$rules = 'expiretime=' . $expiretime . ';uid=YOUR_UID_HERE';
$hash = hash_hmac('sha256', 'YOUR_UID_HERE' . $rules, $secret, FALSE);

This static token approach is useful when backend requests are not available. However, for better security, consider updating the token periodically.

Including the Token in the Embed Code

Add the generated token to the player initialization code as follows:

<div id="cincopa_941e25">...</div>
<script type="text/javascript">
var cpo = [];
cpo["_object"] ="cincopa_941e25";
cpo["_fid"] = "AUFAqA_w45xR";
cpo["auth"] = "expiretime=1736770942;8ff16a7c9cdec8088a39f815ada0fbcf1a5c0158b2bee31d86d96295bdbe564f";
var _cpmp = _cpmp || []; _cpmp.push(cpo);
(function() {
    var cp = document.createElement("script");
    cp.type = "text/javascript";
    cp.async = true;
    cp.src = "https://rtcdn.cincopa.com/libasync.js";
    var c = document.getElementsByTagName("script")[0];
    c.parentNode.insertBefore(cp, c);
})();
</script>

For iframes, append the &auth=xxxx parameter to the URL.

Notes

  • The feature is designed to ensure secure access universally across all players.
  • Using static tokens provides a practical solution for environments without backend support but is less secure than dynamic tokens.
  • Dynamic FID-based tokens offer maximum security.
  • Ensure the JavaScript library (https://rtcdn.cincopa.com/libasync.js) is included in your page for the embed to work properly.

For further assistance or implementation guidance, feel free to reach out.

Previous page
Next page