Many sites are not properly secured against session hijacking.
1. Randomly generate session ids (i.e. not sequential)
2. 50 character minimum length
3. Expire every 15 minutes
4. Tie session ID to source IP
5. Send over SSL
The top four of these are configurable in your web server in a few minutes.
Forcing IP to match Session ID can be a problem on cellular providers that change IP addresses when you cross cell towers. Maybe those wireless providers should fix their networks to maintain IP addresses.
Session IDs in URLs may be problematic if saved in browser history, sent to another person if not tied to IP address.
To prevent session fixation should regenerate session ID on login. .Net forces doing this manually via session.abandon()
