From Defcon conference i found these solution for Session attack.
• Prevent XSS
• Use a different SID generation method
• IP Address check implemented with SID generation and
• Use hash of IP as part of SID generation
• Authentication takes place by regenerating SID and comparing
It may not give us the full proof security but we can make some modification in it to achieve our goal against session attack , like pool of algo’s for generating SID + hash of token id + hash/encrypted algorithm code etc.
what is your opinion about this solution?