Most people detect a invalid session id from cookie, url, argument and they toss the user back to some content. just like they do for a invalid product id. using binded queries protects you from injection and you can also test the format of your session id quickly ahead of time to make sure its potentially a valid BASE64 or UUID or whatever your standard is. This will also save you some potentially costly database lookups if your worried on that front as well.