Stream security - Storm Server

In order to limit access to the steam for undesirable viewers, a secure token authentication method can be activated. The general concept is pretty simple. A MD5 token based on a server time and a password is generated. For even tighter security an IP address can be added to the string. Then same algorithm must be replicated for WWW server-side. Depending on preferences the token will stay valid for up to specified amount of time.

Token algorithm

The token is made up from two or three parameters joined together as a single string and encrypted as a MD5.

  1. unixtime - standard unixtime rounded to full minutes.
  2. password saved in config/preferences.xml file.
  3. IP address - an IP address of a viewer (e.g.

Below you'll find an example for PHP:

$token = md5($timestamp.$password);         // simplified version
$token = md5($timestamp.$password.$ip);     // version with viewer's IP address
Don't forget to configure the secure token on player's side. Please check Security settings - Storm JavaScript Library for more details.

Configuration example

SecureStream configuration is located in config/preferences.xml file. Each internal application has its own Stream settings.

<SecureStream enabled="true">

preferences.xml configuration

Parameter nameSuggested valueDescription
SecureStream:enabledfalseWhenever this option is active or not.
passwordBetween 10-16 charactersA password for your secure token.
ingestIPtrueDecides whenever IP becomes part of the token (might cause troubles for viewers using proxy services).
timeoutBetween 3 and 5Timeout for a token (in minutes).
Table 1. SecureStream parameters table