How to protect against cookie stealing?

["Phil Cox" <Phil.Cox () SystemExperts com>]

All,

I have a question on how people are handling cookie stealing and session
segregation. For example, it is possible to use session cookie information
on multiple systems for most (all?) web applications I know of.  Here is a
scenario:

When a user logs in he is assigned a BLAH_SESSIONID cookie which serves as
an authorization mechanism in the application.  The application  does not
associate the cookie to any session-specific information (e.g., source IP
address), so another user can also use the BLAH_SESSIONID cookie to access
the same information (over a different TCP/IP session) that the legitimate
user can.  If an attacker obtains, or guesses a valid BLAH_SESSIONID cookie
for an active session, he can use it without the user's knowledge. For
example, I was able to execute the following command using an BLAH_SESSIONID
that was obtained from another session: Command on Linux box: 

  # curl -b "BLAH_SESSIONID=0000FDHTNLVY5WX"
https://somesite.com/App/Function? 

  Returns the page: (some portion of the returned page)

Historically I have believed that having the application associate the
BLAH_SESSIONID session cookie and its associated privileges with a specific
SSL session or source IP address would prevent this session stealing. But
recently I have been told that this solution does not work because of the
dynamic IP nature of MANY ISP's and the disassociation of SSL/HTTP. I would
like to know what others are doing to solve this problem, or if they are
just not solving it at all.

Thoughts and comments are appreciated...

Phil