I need fast solution because I discovered this loophole the hard way on the production environment which is now offline until this is fixed.
This is the scenario:
There is a security module (onHTTPSessionCreate) that checks if the user is authenticated when he requests the stream with the link:
If the user is not authenticated session is rejected and no problem here.
Now this is happening, an authenticated user requests the link and a chunklist is returned to him
Then he opens the links in a player to keep the session opened, and then shares this links to other users.
On server we noticed this behaviour when only one connection is shown active and the download speed was corresponding for more then 100 users.
Running a test with 3 active connections on same session in the :8086/connectioncounts this was shown
Also when openening the chunklist link directly
the method onHTTPSessionCreate is not called, it is called only when first connection to the playlist is requested.