In a previous note, php at 5mm de describes how to prevent session hijacking by
ensuring that the session id provided matches the HTTP_USER_AGENT and REMOTE_ADDR fields that were present when the session id was first issued. It should be noted that HTTP_USER_AGENT is supplied by the client, and so can be easily modified by a malicious user. Also, the client IP addresses can be spoofed, although that's a bit more difficult. Care should be taken when relying on the session for authentication.