[tor-talk] Hiden service and session integrity

[grarpamp]

You should never trust ip for auth (even dhcp changes), or ever
use ip for anything hard against the user. That's what your
authcookie or urlsessionid is for. Do not use ip for auth, it
pisses roaming/traveling/vpn/tor/dhcp/proxy/wifi users off, and
similarly gives you the siteop no useful data. Do not use ip's.

You should always use https, unless you want your cookies
stolen off the wire, your users to get mitm'd, your bits to get
rotted, etc. It's possible, just use it, everywhere, always.