[tor-talk] Hiden service and session integrity
grarpamp at gmail.com
Mon Nov 17 18:09:02 UTC 2014
You should never trust ip for auth (even dhcp changes), or ever
use ip for anything hard against the user. That's what your
authcookie or urlsessionid is for. Do not use ip for auth, it
pisses roaming/traveling/vpn/tor/dhcp/proxy/wifi users off, and
similarly gives you the siteop no useful data. Do not use ip's.
You should always use https, unless you want your cookies
stolen off the wire, your users to get mitm'd, your bits to get
rotted, etc. It's possible, just use it, everywhere, always.
More information about the tor-talk