Finally I found the answer. The x-playback-session-id is a UUID comes from the AVPlayer Framework. But in fact this won't affect I got token or not. The real token is HTTP cookie.
Authorization process I found:
- token.tvb.com redirect to vod server with a couple of GET value
- VOD Server check GET value and set cookie if valid. Also respond m3u8 file(contains several different quality stream url)
- Player will request one or more url in m3u8 to retrieve streams. VOD server will then check cookie and user-agent as token.
- In the coming time player will keep using the cookie and user-agent as token to request ts files.
p.s. HLS from TVB for android has different process I haven't figure out. But I found that if user-agent contains "Android" then authorization will fail.