There really is nothing "easy" about session hijacking, but if you forget to log out then yes, you are making it simpler to hijack your session by allowing a larger attack window.
Some basic tips for securing your sessions:
1) Make sure you are using only cookies - session IDs in the URL are just begging for a hijacking.
2) Set your session expiration to be as short as is convenient. I set my admin-related expirations at 5 minutes or even shorter.
Additionally, if you can know for certain that those using your sessions will not be changing IP during a session, use that as a secondary check, i.e. tie each session to a particular IP address and kill it if another IP tries to use it.
PHP Code:
//upon login, assign the IP address to a session variable
$_SESSION['ip'] = $_SERVER['REMOTE_HOST'];
//on each page, verify the IP address
if($_SESSION['ip'] != $_SERVER['REMOTE_HOST'])
die("Possible hijacking attempt!!");
Note that there are many clients out there behind dynamic hosts who will appear to "hop" from one IP address to another. I've seen some systems that will lock a session to an IP's subnet (based on the standard Class A, B, and C subnet definitions), which should still allow those clients to log in; others make it a user-configurable preference to "lock" the session to the current IP address (LiveJournal used to do this; MozillaZine does this).
Most often what appears to be session hijacking is in fact a compromised username/password pair. Change your password, and if the problems cease that was likely the cause. Beware of XSS and social engineering attacks, and secure your site against XSS and educate your users about the risks of social engineering.
Bookmarks