If someone can gain access to your computers memory where the session variables reside, you have a lot more to be concerned about than the session variables. Now in asp where you are going over the internet, I can see where this would be a concern.
Session variables run on the server side.Its not that easy to hack.You gotta hack the server to gain access to the session variables.
Most people say not to use session variables just because it degrades the efficiency of the webpage.
In my experience,session variables gave me a head ache in these cases.
1.In the middle of the application,if the user changes his screen resolution,the session variables remains the same(It screwed up).One has to close the browser and then reopen the browser for the application to run properly.
2.If you are using Dual servers and second server is intended to act when the first server fails.The session variables are lost when the first server fails.