As with anything else related to the execution environment on the server, configuration issues are largely determined by the network policies. If, however, you use session IDs and saved configuration files, you will want to guard against their corruption or malicious redaction by securing your web application within parameters discussed earlier in this series.
If this sounds like Magic URLs redivivus, it's not. It is a matter of ensuring your session IDs timeout soon enough to avoid malicious copying but not so soon that it negatively impacts usability.
If one uses session IDs alone, getting this down is a fine art that can easily end up in frustrating the user and causing them to try to circumvent your security implementation. However, if one logs information about one's visitors separately from the web log, one can allow longer session times based upon identifiers such as IP address, browser type, and the like. These are certainly not fool proof, but they go a long way to securing your application.