rP18140 made it so that the Server identifies the "host" (able to kick...) by listening to clients telling it they're the host. Yes, this is as secure as it sounds.
elexis rightfully raised a concern with it, suggesting that client and server should instead share a secret that the client uses to authenticate itself.
This does that, by generating a GUID appropriately.
It partly reverts rP18140.
This is an obvious step towards dedicated servers (#3556), as those will require some mechanism of identifying a client as controller.
You can experience being host or not by running the patch below and starting with -dedicated . You can then join a game on your local network and be controller. If you add a -dedicated-secret, you'll still be able to join the game, but not as a controller, since you don't have the secret.
(this obviously needs more for proper dedicated servers, but that covers the authentication issue).