I have the impression that ASP.NET Membership encrypts its cookie by default.
Is it relatively safe to assume that ASP.NET Membership protects against session hijacking (ala Firesheep)?
ASP.NET membership uses the exact same mechanism as any other site and is absolutely vulnerable to Firesheep attack. The cookie itself cannot be encrypted in a way that keeps it from being hijacked. All communication with the server must be encrypted to protect from session hijacking, using SSL or WEP wireless encryption.