Same session cookies for a user logging from different browser/machine

So i new to web application security and have a doubt regarding session cookies. Which is more vulnerable:

  1. Having same session cookies for a user logging in from different machine/browser

or

  1. Having different session cookies for a use logging in from different machine/browser

if possible can you provide a quick scenario how each can be exploited

Thank you

Is there a way to limit cookies to certain hosts in HTTP?

Using Nginx, I hope to restrict the permissible hosts for cookies. My initial intention was to employ a Content Security Policy for this purpose, but I don’t see an obvious way to do this via a CSP. Ideally I’d find something like

Restrict-Cookies-Header: hostname1.tld hostname2.tld2 

Can something like this be accomplished with HTTP headers? Thanks!

Firefox: What would be more secure/private: storing session cookies or saving password in the browser?

I am wondering, assuming the latest version of Firefox, which of the following options would be more preferable security-wise (e.g. assess and/or password to user account will be stolen) and which one privacy-wise (exposing user to the least advertisement tracking etc.):

  1. Storing session cookies (i.e. logging in and never logging out), but not saving password & username in browser built-in Password Manager.
  2. Saving password & username in built-in Password Manager (without Master Password) and setting cookies and site data to be cleared when browser is closed.

P.S.: I am aware that using Master Password for password storage will increase security of the stored passwords. Though I am not wondering how to improve given options, but would like to asses them “as is”.

Using XSS to Steal Cookies WITHOUT access to external server

I’m working on a project where we need to craft an HTML page that launches a CSRF attack that logs in to an attacker account on a victim computer. The biggest hurdle however is an authorization cookie needed to login.

I need to do an XSS attack on this website to steal the cookie needed and use it in the CSRF attack. However the catch is that the XSS attack must be done entirely on the html page itself, I can’t have a server or website that can catch the cookies from rudimentary XSS attack. This is where all the XSS cookie Steelers in finding falter, they rely on an external server to catch the cookies.

Does anyone know how I can perform XSS cookie stealing entirely within an HTML file?