Thanks Tom, this clarifies some things.
Passing the session-cookie in-URL seemed the way to go as I need the movies protected, and the player itself doesn't seem to play nice with cookies.
RestrictEntireServerToRegisteredUsersP (description "Do we want to allow only registered users to visit this subsite?", package acs-subsite) is a parameter, but after a grep through the OpenACS code this apparently isn't used anywhere.
But I also found RegisterRestrictEntireServerToRegisteredUsersFilters (description "Register filters at startup that will allow each subsite to be restricted to registered users.", package acs-kernel) that enables registration of filters (in
packages/acs-tcl/tcl/admin-init.tcl, and the filter proc ad_restrict_entire_server_to_registered_users in packages/acs-tcl/tcl/security-procs.tcl).
This is enabled at my site to prevent visitors from accessing applications pages that don't require a registered user being logged in yet. Of course I need to look at this, but in the meanwhile the above filter does its job for an internal server...
The idea was then to make an exception to above filters (for the page that serves the movies) to allow for a temporary workaround for the player issues.
Anyway, I got things to work now, so thanks for the help!
greetz,
koen.