How to Limit Session Hijacking Threat?

software development


I have a web application that will utilize standard PHP sessions (cookies + session stored on file system, etc).

What approaches are most recommended for limiting session fixation and hijacking threats? For example:

  • php.ini settings?
  • creating extra session tokens besides session_id?
  • etc.

Kind of a big topic… but any suggestions or links to get me started would be great.