Would adding a HMAC string to the cookie value not get around this issue? For example, Tornado has the set_secure_cookie method (http://www.tornadoweb.org/en/stable/web.html#tornado.web.Req...), would this not prevent this sort of attack? Even if a script modified the cookies, they would never (well, hopefully never) be able to generate the correct HMAC token so the server could just discard the cookies. You'd still be able to sign a user out but there wouldn't be a security issue (I think). Anyone smart able to verify/refute?
Would it increase security to include the user-agent, or part of the user-agent, in the HMAC secret? So the secret was "abc123Mozilla[etc]", that would then presumably require identical browsers to work, at the expense of logging everyone out every time their browser updates. Or include all, or part of the IP address to restrict the network.
Using the IP address to restrict it would work, since now the attacker would need to have the same IP address to get a session that will stick, but this may cause users to be logged out when their ISP changes their IP, or when they move from home to a coffee shop for instance.
No, that's not useful. Cookie tossing attacks need not generate their own cookies -- it's just as effective, if not more so, to toss cookies for a session that was generated for another user.
