Two things: a two-part authentication verification scheme is always preferable to a single-part scheme. Those suggesting IP as the second part above are on the right track: you want IP + HTTP-Forwarded-For value; this allows a user to access your site securely over a protocol-supporting proxy server.
Second, all the talk about SSL is protecting the cookie in transit, but not in rest. You are not protecting yourself from an XSS-initiated session hijack, nor from a disk-read or memory-read based session hijack. These are “harder” than the simple wire sniff attack, so SSL is a solid first step, but don’t believe it gets you all the way there.
Overall, taking SSL + two-part identification gets you a whole lot closer to secure (based primarily on how well the user secures their end of the conversation), to the point that neglecting to do so should really be considered a security failure on your site.
From the user’s end, never, ever, ever do anything on an open wireless connection (or any unknown network). Always use SSL where possible. Should go without saying, but obviously the world needs more education on the matter.
Leo LaPorte has made a good suggestion. He suggests owners of hotspots use protected wifi so traffic is encrypted. Since a secure password is not just not needed but undesirable it should be included in the network name–for example: networkname(password=password).
Just musing here. The real solution is biometrics. Even that is not a perfect solution, but if we can tie a private key to a user based on their fingerprint (or inserting a chip in their brain?) we would be significantly more secure. You would register with a website with your biological private key, providing them with the public key they need to authorize you. In turn, you get their public key back.
The web is simply not anonymous anymore. Websites are forced to send their unique identifier back to users (hey, this is me!) i.e. the cookie in order to keep state. All users have to do is request the cookie and the site trusts them. Due to the lack of anonymity on the web now, I think it is important for websites to verify that they know who they are talking to as well.
Instead, the site should be able to verify who they are back and transmit only the public keys. Sniffers can get all of the public keys they like. They will have a much harder time acquiring the private key cached on the users computer (or implanted in their finger).
