To avoid future session hijacking, why don't we implement something to prevent it?
How about taking advantage over browser fingerprinting (keep record either browser agent strings, OS version, or anything that unique to every visitors) and use that to form an unique session ID?
This new unique...