I just started reading about cookies and all the ways I can get them wrong and allow cookies to be hijacked which allows attackers to do things like impersonate a logged in user.
I don't understand why this can't be solved by simply having the server add to each cookie a signature determined by the rest of the cookie, a secret key on the server, and the IP of whoever is making the request. Stolen cookies would then be mostly useless for anyone who can't receive a response at that IP. Any readable data in a stolen cookie itself could still be accessed but stolen cookies couldn't be used to impersonate someone else.
Why doesn't this work? Is there some way to receive packets bound for an IP address that you don't control? I know that on my local network I can read packets meant for other computers on my local network but I don't think there's any way to send a copy of all the packets meant for stackoverflow.com to my residential IP.
If this was our only means of security you could still send spoofed requests but you couldn't trick the server into sending anything back to your own IP (I think) which still seems useful.
I didn't find anything about associating cookies with IPs on google so I figure this doesn't work but I don't know why.