diff --git a/daemon.py b/daemon.py
index 466b65c2..53a3f5dd 100644
--- a/daemon.py
+++ b/daemon.py
@@ -1058,6 +1058,12 @@ class PubServer(BaseHTTPRequestHandler):
                     # login success - redirect with authorization
                     print('Login success: '+loginNickname)
                     self.send_response(303)
+                    # This produces a deterministic token based on nick+password+salt
+                    # But notice that the salt is ephemeral, so a server reboot changes them.
+                    # This allows you to be logged in on two or more devices with the
+                    # same token, but also ensures that if an adversary obtains the token
+                    # then rebooting the server is sufficient to thwart them, without
+                    # any password changes.
                     if not self.server.salts.get(loginNickname):
                         self.server.salts[loginNickname]=createPassword(32)
                     self.server.tokens[loginNickname]=str(sha256((loginNickname+loginPassword+self.server.salts[loginNickname]).encode('utf-8')))