As for the IP checking... what if their IP changes during a session? I believe that is possible.
it is possible yes but so what, get them to log back in, it adds an extra dimension to your security at a slight cost that 99% of your users will never experience
I'd say that statistic is 99% pulled out of the air.
A *large* number of users go through proxies, concentrators, and web content engines that end up changing their IP address during a session. Entire *countries* have their access forced through such devices, and to say that only affects 1% of the population is a little inaccurate in my experience. (Of course, if your webapp market is 99% people that use static IP addresses in the US only, then yes, it would be 99%)
In my experience, its a significant amount - over 15% for people playing BNT, TKI, and other various games I've contributed to.
A much more reliable method to preventing session hijacking is to use a one-time pad. By sending a one-time secret to the user, and forcing them to respond with a different secret (password?) hashed with that one-time secret, you seriously reduce the possibility of session hijacking.
Now the attacker has to get a working session cookie in the narrow window of time that a user is logged in, which quite literally may only be 10 minutes out of a day (1440 minutes, or less than 1% of the time).
Just a thought.