[ylk]

There are (illegal) marketplaces initial access brokers sell session cookies on. Some companies try to defend against that by e.g. checking whether it's even possible that you travelled from place A to place B within a certain timeframe and, based on that, might invalidate your cookie. But then again attackers, depending on their sophistication, find their ways around it by ensuring they proxy their traffic via geographically close residential proxies, use the same OS and browser versions, etc.

Google now wants to bind credentials to a device by storing the secret in the TPM: https://blog.google/security/protecting-cookies-with-device-...

[kleiba2]

Cookies can be up to 4kb in size - that should be enough to encode a fingerprint of your device.

[munk-a]

The cookie should always be minimal and arbitrary. If you want to fingerprint the device and have confidence in that correctness it's something you should store on the server (or at least store a hash of on the server).

Anything that is on a client device can be manipulated without your awareness.