• Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  • Edinburgh: +44 (0)131 541 0118 
  • New York: +1 646-781-7580 
  • Bucharest: +40 316 301 707 
  • Tokyo: +81 (3) 4588 8181 

Add new comment

John (not verified) June 20, 2014

Reply
Because the IP and UserAgent are stored in the cookie, an attacker stealing a cookie using XSS will be unable to use it, as their IP and UserAgent will not match the values in the cookie. If you can run JS at the target web site, you can easily get the user agent using navigator.userAgent. The IP address is easily obtained if the XSSed browser can be forced to send only a single request to your server.