diff --git a/lib/LDV/Comments.pm b/lib/LDV/Comments.pm
index 3dbe34f..f063715 100644
--- a/lib/LDV/Comments.pm
+++ b/lib/LDV/Comments.pm
@@ -34,7 +34,7 @@ sub add {
   eval {
     my $sectoken = $self->session('c_sectoken')
       or die("missing security token\n");
-    my ($ip, $upto) = ($sectoken =~ m{^[0-9a-f\.:]+-\d+$}io)
+    my ($ip, $upto) = ($sectoken =~ m{^([0-9a-f\.:]+)-(\d+)$}io)
       or die("malformed security token\n");
     ($upto > time())
       or die("expired security token\n");
@@ -103,10 +103,11 @@ sub create {
 
   eval {
     die("request error\n")
-      unless $self->req->is_xnr;
+      unless $self->req->is_xhr;
     my $ip = $self->tx->remote_address
       or die("can't find remote ip\n");
-    $self->session({c_sectoken => $ip . '-' . time() + 60 * 7});
+    my $sectoken = sprintf "%s-%d", $ip, time() + 60 * 7;
+    $self->session(c_sectoken => $sectoken);
     my $pageid = $self->_gen_pageid()
       or die("can't get pageid\n");
     $self->stash({pageid => $pageid});