since the session ID is displayed in plain view in the browser's address bar and could be easily hijacked by a passerby

While I applaud your attention to security, I think you're passing the security boundary and into paranoia. If someone passing by can easily remember a sessionid then either your session ids are way too small or the person is wasting their time and should be in a casino somewhere counting cards.

But ... if you're still really worried, you could combine the true session id with something else, a nonce, that isn't seen by the passerby. Some people use the ip address of the incoming request but you really need to know your clients to do that (there could easily be lot's of clients coming from the same nat gateway). Or you could create a nonce on your own and insert it as a hidden field. The problem there ... every request would need to be a POST.

Personally, I've given up on the people who do not accept cookies. The only thing I try to do is minimize the number of cookies I create (I'm almost down to one!). It's a trade-off.