So basically, DON’T store the auth token plain text in a cookie, which made way more sense until you explained how nutty this is. My chief question is this, in what way can the account be compromised if I only have channel_read permissions and my site knocks them off if the IP doesn’t match their initial login one?
If I am using secure cookies and https, doesn’t that mean I need to physically steal their cookie somehow? If I had that kind of access to their machine, couldn’t I just directly use the site from the compromised machine? I will definitely be (at least) using a custom encryption scheme from here on out to store the auth key, but my real question is; could I take a stolen auth key and use it on a totally different website, or does Twitch check against the client ID, secret, and registered domain first?
I apologize for being obtuse, but that last thing just threw me for a bit of a loop.