I am using forced ssl, along with attaching the token and username to a login IP. If for some reason someone, somehow, got ahold of the token and tried to perform an action client side with a new IP, it would reject the auth token and force them to generate a new one. I am also assuming that any action taken on a channel using an auth token would also need to come from the registered address client-side. Also, thanks for the tip with secure cookies.