Implementing a session key is not a problem, that is known and proven technology, something that I as developer use every day (it is the basis of session management in every web based application).
The challenge is to make absolutely sure that the session key is safe, is generated safely and sufficiently random, and that only trusted people can create a session key. Which means authentication and authorisation. Any other authenticated stream works the same. You log in on a website, and once you have established a valid login, the session key is generated and attached to the stream request to validate the request.
A big problem with your suggestion is that in a lot of cases, streaming from enigma is not interactive, but it is a request coming from another device or IPTV client. In which case the URI is the only way to provide authentication.
So back to my original question, what is "path_key" or "stream_key"? What makes it? Where does it come from? How does it determine it is me and not some other person it should not let in?
Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Pro (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)
Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.
Many answers to your question can be found in our new and improved wiki.