If the playback user is using the correct playback URL, with the correct security token, then his playback request will be authorized. However, you could restrict the secure token validity to the Client IP. This way, even if the unauthorized playback user is using the correct playback URL, his IP address won’t match the one for which that particular secure token hash was generated.
Thanks Zoran for your answer, but I wonder if there is any possibility to forbid simultaneous connections based on the same “login”. I wonder if it is possible to implement given scenario:
our authentication backend checks user credentials and creates signed urls
let’s suppose that user “paluh” had authenticated and our system generated urls for him (there is only one custom parameter for simplicity which contains user login):
My question is:
Is it possible to write such, a plugin which will search for every (all http and rtmp and rstp) session (within given VHost or Application) with “myTokenPrefixLogin=paluh” parameter and “kills” such sessions, before it will allow Bob to access the stream?