Why not keep a dictionary that maps the cookie credential to the IP used when the credential was granted, and make sure that the IP matches the dictionary entry on every page access? Implement caching as necessary, bake at 350 degrees for 15 minutes, and, voila! Fewer XSS problems. I guess someone could still masquerade as someone else if they’re on the same LAN behind the same router, but hey, you can actually go pummel that person for reallzies since they’re probably physically pretty close to you.