Jeff Prosise wrote a nice article on msdn mag about making it harder to hijack asp.net session.

i am a little bit worried about performance – but hey – you can’t have everything :)