how to ensure session's 'secure' cookies are actually secure

[Chris Morris]

Webapp2 session's secure cookie is signed by the server's private key. This keeps someone from crafting their own cookies and having the server accept them. However, couldn't someone take the cookies from session X and pass them as cookies in another session Z (man in the middle attack)? It seems that the only way to prevent this is to require that one of the cookies be used to identify the user for which the cookies apply to. This way, only cookies meant for a session w/ user X can only be used for a session w/ user X; they cannot be used w/ a session for user Z.

Example where the server doesn't validate a 'user id' cookie (insecure):

1. server sets cookie C for user X

2. server sets cookie D for user Y

3. user Y sends cookie D while impersonating X

4. since both C and D are signed w/ the server's private key, the server accepts D and treats it as if it is a valid cookie in X's account

Example where the server validates a 'user id' cookie (secure):

1. server sets cookie C for user X, and also sets an 'id' cookie w/ the id of user X

2. server sets cookie D for user Y, and also sets an 'id' cookie w/ the id of user Y

3. user Y sends cookie D while impersonating X

4. the server will look at the 'id' cookie that accompanies D and see that the id is for user Y. The server then realizes that the supplied cookie can only apply to Y, and thus won't treat it as valid for user X

caveat: I'm not experience w/ cryptography and sessions, cookies, etc, so please be gentle in case my post reveals a glaring misunderstanding of these concepts!