Not that hard to block (Score 1)

This should be easy to block on the server side without using SSL. Just save the IP address in the session when you first assign the session id, and then check the ip each time the session id is used. I haven't had a chance to test it yet but I put the code up here: http://filebottle.com/FireSheepBlock.html