I primarily use sessions in cookies. Googlebot does not use cookies at all. In this case googlebot would index my pages with session IDs.

Therefore I use this solution :D

Sessions are disabled at all - I do not call session_start() by default

If visitor logs in (fills login form and POST it), I save his IP address into a database :D

At the beginning of every page is a code which checks visitor's IP. If it is in DB, then I use session_start()

I suppose google bot will never POST a form and never log in :D

And of course I delete from DB IP addresses older than 15 mins

Tell me your opinion :-]
Actually I have 12k visitors/day (gaming site) and the CPU working load is maximum 20% (peak in 5min period average) so i dont see any problem there. In addition, this method can't be recognized as cloaking.

servers specs : athlon 1900Mhz I guess, 768MB RAM, FreeBSD, php-a, apache@600 processes/threads max.