You are right, it's fairly easy to "hack" into a user_session,once you've copied the session_number.
(pen and paper...)
Using the IP adress for extra security won't help , if all users share the same ip-adres from the localnetwork [eg using a router to internet].
On our school we've had a single "serious incident" of a pupil logging into a supervisor/teacher session [she left the computer room for a few minutes, not logging off...]
All 'exams & sheets' were altered, passwords changed etc etc.
This has proven a very good lesson to all other users/teachers: they now close the session when leaving the computer
kind regards,
Joke Evers