[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Hiden service and session integrity
You should never trust ip for auth (even dhcp changes), or ever
use ip for anything hard against the user. That's what your
authcookie or urlsessionid is for. Do not use ip for auth, it
pisses roaming/traveling/vpn/tor/dhcp/proxy/wifi users off, and
similarly gives you the siteop no useful data. Do not use ip's.
You should always use https, unless you want your cookies
stolen off the wire, your users to get mitm'd, your bits to get
rotted, etc. It's possible, just use it, everywhere, always.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk