We've had a user reporting hijacking the session successfully using droidsheep, a port of firesheep. Essentially this tool captures network traffic and retrieves session ID. Using the session ID you are then able to take over the session, without entering username/password.
We have not had time to look into this very thourougly but it looks like enabling the "Do not include session cookie in URL" prevents this security issue.
Why this setting is not enabled by default I don't know, but I higly recommend checking the setting on your SA.
I will post more information on this when we have time...