You should never trust ip for auth (even dhcp changes), or ever use ip for anything hard against the user. That's what your authcookie or urlsessionid is for. Do not use ip for auth, it pisses roaming/traveling/vpn/tor/dhcp/proxy/wifi users off, and similarly gives you the siteop no useful data. Do not use ip's.
You should always use https, unless you want your cookies stolen off the wire, your users to get mitm'd, your bits to get rotted, etc. It's possible, just use it, everywhere, always. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
