|First you should use SSL to protect against packet sniffing. Then you should do the following:
- When a session is created, add the IP address of the client to the session.
- On subsequent requests make sure the IP address of the client for the request matches the IP address of the client stored in the session.
This way the hacker would not only need to calculate a valid session id but also determine the IP address of the client for that session id.
NOTE: this solution won't work well with web servers that run behind a proxy server since in this case the client IP address will be the same for all requests.