Its worth noting that automated tools will frequently report false positives as they cannot know the context. This is one of those cases. As Michael points out below this exploit requires unencrpyted traffic, physical access, or a XSS attack. If you have unfettered access to a session key there is no way to prevent this.