I agree with Craig, but on top of the things that Craig mentioned, the answer partially depends on what you are trying to protect. If you were a banking institution then the answer would be different than an online forum.
Unfortunately due to proxy use in some of the larger ISP's, the IP address is a bad thing to use for security. There will be some users who will get denied just becase of their ISP.
The security is to have your sessions themselves timeout after a short period of time if you can. That is why if you go and get a cup of coffee while you are on a bank site you will find yourself logged out. Unfortunately allowing short session times doesn't work with everything. For instance, it isn't much fun when your session times out while you are trying to make a post on a forum. So you have to balance the two. For a bank, maybe 10 minute session timeouts. For forums, maybe 2 hour timeouts.
You can also tie some client information to the session if it is important that the information remain safe. This won't stop people who are very creative, but does raise the bar some, and for automated attacks may cause fewer problems. For instance, keep the user agent in the server stores session, if the user agent changes, log the person out. Browsers are also pretty noisy in many occasions as to what they will tell you when they make a request. Adding in something random like the Accept-Charset field which is accessible from most applications may make it secure enough to deter someone who isn't overly intent on messing with you.
Overall, the best way to prevent session theft is to make sure that your website is properly coded and you have input validation issues handled. Making sure you have good input validation will go a long way to preventing XSS, SQL Injection and a few other types of attacks. Check out the OWASP top 10 for common ways to prevent application problems.
Hope this helps!
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+