How can a user defend against session hijacking?

Here are some suggestions. None of this will give you the same level of security as TLS would, though.

• Don't use the site unless you really have to. But since you ask, I assume you do.
• If you visit it, use a VPN (or Tor) as often as possible. An attacker would have to get in the middle of your VPN exit and the server in question, which is harder than getting in the middle of you and the server (but not impossible, especially not for a governmnet - or the provider of the VPN/Tor exit node...).
• If you don't use a VPN, at least don't use it over Wi-Fi. That is so much easier to sniff than a cable network.
• Stay logged in for as short periods of time as possible, and always logg out when you are done. Don't check the "remember me" box.
• Unless the login page is over HTTPS, you should be more worried about your password then your session ID... If the login page is over HTTPS, always check that you have a secure connection so you don't become a victim of SSL-strip.

Depending on how likely you think it is that you will be the target of an attack this may or may not be enough. I am afraid there is not much else you can do.

A vpn only protects your session to the point where it exits the vpn - ssl is exactly the same but the tunnel extends to the site you are connecting to. So when you access an http site using a vpn, you are only protected against an attack on your local network and a few hops along.

If your description is accurate, and there is any sensitive data being passed in either direction, then these people are idiots who are ignoring their duty of care to their customers. But there are sites which do not exchange any sensitive with your browser.

TLS is just part of the security controls a website should implement. I don't know why you feel the need to protect their identity.