WebApp Sec: Re: How to protect against cookie stealing?

[Marc Slemko <marcs () znep com>]

Why are people going off on increasingly wild and completely
impractical and horribly insecure tangents ("hey, lets just create
an activex control that the user installs that uses their MAC
address for security") without once mentioning the fact that the
net impact of cross site scripting attacks (and related cross domain
validation type bugs in browsers) is NOT just the ability to steal
cookies, it is the ability to completely control the user's
interaction with the site, if a client side scripting language such
as javascript is enabled.

The authentication token is not the holy grail: I don't need a
user's cookie or SSL certificate or cereal box decoder ring if I
can just tell their browser to jump through a given series of
actions on a site and then send the results off via a HTTP request
to some other site.

Don't get me wrong, ensuring your authentication scheme is secure against
a variety of attacks is good.  But don't forget the bigger picture.