diff --git a/README.md b/README.md
index 7fbed77a846eb6df7f03586813c3547e16c8ab08..20ca97e4c1ccd139da60f9c4f375ecb10b947f37 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@ RDPGW wants to be secure when you set it up from the beginning. It does this by
 Connect integration enabled by default. Cookies are encrypted and signed on the client side relying
 on [Gorilla Sessions](https://www.gorillatoolkit.org/pkg/sessions). PAA tokens (gateway access tokens)
 are generated and signed according to the JWT spec by using [jwt-go](https://github.com/dgrijalva/jwt-go)
-signed with a 512 bit HMAC. Hosts provided by the user are verified against what was provided by
+signed with a 256 bit HMAC. Hosts provided by the user are verified against what was provided by
 the server. Finally, the client's ip address needs to match the one it obtained the token with.
 
 ## How to build
diff --git a/client/remote.go b/client/remote.go
index f7e70b097e514f1f761e690e9a57c307f61f39d5..141f6c9fe7c5c9196424531437a72914e5261f47 100644
--- a/client/remote.go
+++ b/client/remote.go
@@ -2,6 +2,7 @@ package client
 
 import (
 	"context"
+	"net"
 	"net/http"
 	"strings"
 )
@@ -31,10 +32,10 @@ func EnrichContext(next http.Handler) http.Handler {
 			ctx = context.WithValue(ctx, ProxyAddressesCtx, proxies)
 		}
 
-		remote := r.Header.Get("REMOTE_ADDR")
-		ctx = context.WithValue(ctx, RemoteAddressCtx, remote)
+		ctx = context.WithValue(ctx, RemoteAddressCtx, r.RemoteAddr)
 		if h == "" {
-			ctx = context.WithValue(ctx, ClientIPCtx, remote)
+			clientIp, _, _ := net.SplitHostPort(r.RemoteAddr)
+			ctx = context.WithValue(ctx, ClientIPCtx, clientIp)
 		}
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
diff --git a/protocol/handler.go b/protocol/handler.go
index dc55fac54a47addd40833141575b098a96195a37..4330c566f9ad130cd37936445925dd7048a931aa 100644
--- a/protocol/handler.go
+++ b/protocol/handler.go
@@ -78,7 +78,7 @@ func (h *Handler) Process(ctx context.Context) error {
 
 		switch pt {
 		case PKT_TYPE_HANDSHAKE_REQUEST:
-			log.Printf("Handshake")
+			log.Printf("Client handshake from %s", client.GetClientIp(ctx))
 			if h.State != SERVER_STATE_INITIAL {
 				log.Printf("Handshake attempted while in wrong state %d != %d", h.State, SERVER_STATE_INITIAL)
 				return errors.New("wrong state")
diff --git a/security/jwt.go b/security/jwt.go
index 836245d94b31beb6589232ac098298556260bdeb..ef253980fdb163997c33bbd2539fec86c6c17632 100644
--- a/security/jwt.go
+++ b/security/jwt.go
@@ -36,7 +36,7 @@ func VerifyPAAToken(ctx context.Context, tokenString string) (bool, error) {
 	if c, ok := token.Claims.(*customClaims); ok && token.Valid {
 		s := getSessionInfo(ctx)
 		s.RemoteServer = c.RemoteServer
-		s.ClientIp = client.GetClientIp(ctx)
+		s.ClientIp = c.ClientIP
 		return true, nil
 	}
 
@@ -78,6 +78,7 @@ func GeneratePAAToken(ctx context.Context, username string, server string) (stri
 
 	c := customClaims{
 		RemoteServer: server,
+		ClientIP: client.GetClientIp(ctx),
 		StandardClaims: jwt.StandardClaims{
 			ExpiresAt: exp,
 			IssuedAt: now,
@@ -86,7 +87,7 @@ func GeneratePAAToken(ctx context.Context, username string, server string) (stri
 		},
 	}
 
-	token := jwt.NewWithClaims(jwt.SigningMethodHS512, c)
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, c)
 	if ss, err := token.SignedString(SigningKey); err != nil {
 		log.Printf("Cannot sign PAA token %s", err)
 		return "", err