Caveat regarding one technique from the article re: "If they don?t match, either it is a new session or someone is trying to hijack another user?s session (because the session ID matches but not the IP address, or vice versa)."

The caveat is... don't assume that because somebody's request is all of a sudden coming from a different IP address then it must be a hijacked session.

Some large ISPs use farms of proxy servers, and so it is possible and perfectly valid that a user's requests can come from one IP address one moment, then from a different IP address the next.