Don’t let session tokens become a weakness for your OTT service

Bad news for Over-The-Top (OTT) streaming services! Pirates and users are growing more tech-savvy and developing more sophisticated techniques to gain unauthorized access to premium content.

Viewers are becoming less eager to subscribe to streaming services. They now frequently share credentials online to avoid paying the full subscription fee.

Meanwhile, pirates deploy cutting-edge technical methods to intervene in the deep-down information processing of the OTT services, gaining unauthorized access and redistributing the content to the entire Internet world. And one of their most widely used methods is to steal session tokens.

What are session tokens?  

OTT service providers encrypt their premium content using Digital Rights Management (DRM). A process of acquiring the decryption keys will therefore take place inside the service platform before viewers can watch the desired content. This process is based on what we call a session token. So, what is it?

When a user logs in to the OTT service using their credentials, the portal will return authentication proof, typically in the form of a session token, a digital certificate that contains the subscriber’s unique ID and entitlements. The multi-DRM solution uses a session token to evaluate the subscriber’s rights to grant an access license to a specific piece of content.

Every time a new request is made, the user’s device sends this token to the server, allowing it to validate the token’s signature and approve the request. The session is kept alive in this manner, saving the user from having to log in again when they close the browser or application.

Imagine the session token as a hotel key card. A customer will need to present their identification documents while checking in for the first time. A hotel key card will then be provided for them to use during their stay. It allows the customer to access their room and hotel’s facilities without having to provide identification information each time they leave and return to the hotel. Similar to a key card, a session token is what enables a user to access the OTT service.

How is the session token used in the video entertainment world?  

The session token is a crucial connection in the entire process of acquiring licenses and content keys. The following process demonstrates in a simplified way how it is generated and utilized.


  • Step 1: A subscriber accesses the OTT service on a client device (app/browser) using their username and password. This will be checked by the Operator’s Authentication System (OAS).
  • Step 2: The OAS will then send a subscriber’s entitlement request to the operator’s Subscriber Management System (SMS).
  • Step 3: The subscribers’ entitlements will be checked and verified at the SMS and then will be shared back with the OAS after that.
  • Step 4: After the subscriber’s entitlements are granted, the OAS generates a session token that contains the subscriber’s unique ID, entitlements and restrictions related to IP, device, user, etc. and token validity.
  • Step 5: When a subscriber selects a piece of content to watch, the OTT service sends a license request along with the granted session token to the DRM license service.
  • Step 6: The DRM license service verifies the session token’s authenticity and validity before determining entitlements applicable to the license request for selected content. If entitled, the DRM license will be granted and the subscriber will be able to watch the selected content. The subscriber’s device requests a new token every time the previous token expires and a new DRM license is required.

Despite its important role and security around session tokens, it is also one of the biggest vulnerabilities leveraged by pirates to abuse.

How do attackers steal session tokens? 

Using the aforementioned metaphor, anyone with a key card can easily access a specific hotel room and other facilities, making it difficult for the hotel staff to determine that they are providing services to actual customers. A similar issue can also happen with the session token and the OTT world. Linking a token to its legitimate user can be challenging. Once the same session token is cloned to another device, the service provider is unable to detect it.

Stealing session tokens can be done through a variety of means, including reverse engineering the app, Cross-Site Scripting (XSS) attacks or the use of malware that steals cookies from the user’s device and traffic sniffing (e.g., using a proxy for HTTPS termination) to name a few.

How do attackers steal session tokens?

Once individuals with malicious intentions successfully steal the session token, they can access the OTT service and easily commit harmful acts against both end users and service providers. The session token grants the attacker the same level of entitlement as the legitimate subscriber.

How are OTT service providers affected?   

There are numerous possible damages for the OTT service provider when attackers breach the system, one of which is revenue loss. Attackers may have unlimited access to the services (if successful in obtaining a valid token), making it simpler for them to steal and redistribute premium content. Users consuming valuable content without paying means that the service provider loses potential revenue as well as opportunities to convert and attract new subscribers.

It is not their only financial loss. The OTT service provider is inadvertently utilizing their backend resources and third parties’ services to dispense licenses to unauthorized users. This leaves them facing skyrocketing costs without return on investment and a potential impact on the user experience of paying subscribers.

The provider may also be subject to penalties, or even worse, lose access to premium content due to improper compliance with security requirements from premium studios and sports rights holders; it may also lead to an increase in the subscription churn.

Furthermore, attempts to steal the session token become more attractive to pirates when the session token is valid for a lengthy amount of time. This is often the case when providers prefer to use long-duration session tokens in order to simplify the operational infrastructure.

What can OTT service providers do to protect their session tokens? 

Session token theft can be avoided using the following techniques.

  • Short-duration session tokens: The shorter the validity period, the lower the risk. The session tokens should be valid for a limited period, just long enough to exchange an access license between the OTT application and the multi-DRM service. This would discourage unauthorized users from misusing session tokens. The advised validity time for session tokens, however, varies depending on the system and ecosystem specifics.

What can OTT service providers do to protect their session tokens?

  • Frequent rotation of session token signing: A session token is signed with a ‘secret’. Rotating the ‘secret’ frequently minimizes the probability of reverse engineering token generation/modification.
  • Using DRM-based Concurrent Stream Management (CSM) to address session sharing piracy: This technology empowers service providers to grow their average revenue per unit by enforcing concurrent stream limits accurately and effectively, preventing revenue loss by discouraging session and credential sharing.

Using DRM-based Concurrent Stream Management

We are here to help! 

Preventing the session token from being stolen is a critical step in protecting your premium content. If you want specific guidance on setting up optimal session token duration or to learn more about the multi-DRM solution to enable secure OTT distribution, don’t hesitate to contact us!

E-BOOK: Piracy in the streaming world: Understand what you are facing