Can cookies be copied between machines to impersonate a user?
Yes, stealing cookies is a common technique to steal a session from a user.
Some sites try to bind a cookie to the IP of the client, but this fails in the face of big corporate proxies with multiple out-bound interfaces or other non-residental setups.
Absolutely. This is one way that cross-site scripting (XSS) attacks work:
- I inject javascript into a page
- I wait for someone to look at the page
- The javascript I injected sends me your cookies
- I login as you and do bad things
This particular issue bit SO during the private beta.