[eluser]darkhouse[/eluser]
I think you're better off using database sessions (which they fixed in v1.7.0 I believe) so it just sets a cookie for the session id, and that gets regenerated every so often, it would be extremely difficult for someone to guess the right cookie id of an existing session.
Just to clarify, $_SESSION works no different, it can store data in a cookie or files, but it still needs to send an id from page to page, either by a cookie or a GET variable. I think using database sessions is safer than regular old sessions.