Don't use sessionid. You can also store their data in the database, create a mixture of cookies, useragent hashed and ip and create your own protected sessions.