You can still tie the session to other properties that won't change, such as the user-agent string. I'm not sure how widespread this practise is, but I don't see any pitfalls in it (Except of course that it isn't guaranteed to catch the hijacking).
If they're able to sniff/steal your cookie they can easily capture any other request headers. This wouldn't be the case for brute forcing cookie values, but hopefully your cookie is secure enough to make that a non-issue.
AOL, and a few others, unfortunately still break the "IP for session security" thing:(
a lot of browsers have the same user agent string as well. The only two ways, that i know of, to uniquely identify a particular individual is through a cookie or a query string parameter on every click.
