Session hijacking is always an issue if your network traffic can be
compromised - and on the web it usually can - which is why you have
encrypted viewstate in .NET, and SSL to fall back on should you require it.
However, its not usually something you worry about unless your transactions
are mission critical or financial, then not using enhanced security is a
real foolish thing to do.
Have a read of this, its a very good explanation of your concerns.
http://msdn.microsoft.com/chats/vstudio/vstudio_121201.asp
--
Regards
John Timney (Microsoft ASP.NET MVP)
----------------------------------------------
<shameless_author_plug>
Professional .NET for Java Developers with C#
ISBN:1-861007-91-4
Professional Windows Forms
ISBN: 1861005547
Professional JSP 2nd Edition
ISBN: 1861004958
Professional JSP
ISBN: 1861003625
Beginning JSP Web Development
ISBN: 1861002092
</shameless_author_plug>