In php.ini you'll need to set the following:
session.cookie_httponly = 1
session.cookie_secure = On
session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off. This setting was added in PHP 4.0.4. See also session_get_cookie_params() and session_set_cookie_params().
session.referer_check = your_url.tld
Where your_url.tld could be:
session.referer_check = example.com
Another small security feature is allowing PHP to check HTTP referer values
so that session information is only passed internally while a user is viewing an application.
This prevents users from accidentally publishing session information in a way that would allow external users to follow links and steal a session.
This is especially useful if session information is being passed in a URL that could accidentally be published to a mailing list or web site.
You maybe also interested in Session Fixation.
This is where an attacker explicitly sets the session identifier of a session for a user. Typically in PHP it's done by giving them a url like http://www.example.com/index...?session_name=sessionid. Once the attacker gives the url to the client, the attack is the same as a session hijacking attack.
There are a few ways to prevent session fixation (do all of them):
* Set session.use_trans_sid = 0 in your php.ini file. This will tell PHP not to include the identifier in the URL, and not to read the URL for identifiers. Defaults to 0 (disabled).
* Set session.use_only_cookies = 1 in your php.ini file. This will tell PHP to never use URLs with session identifiers. Defaults to 1 (enabled) since PHP 5.3.0.
session.use_trans_sid = 0
session.use_only_cookies = 1
**NOTE** These are not just WordPress specific, but can be applied to other web apps written in PHP.