Then there's the classic recording the IP address of the person with the cookie and if this changes don't allow the user to take the session etc. basically checking the IP address. I think this is a dumb idea these days due to the fact that from some ISP's IP's change very quickly. So I don't think this is a sound solution?
Then there's using things in session_set_cookie and ini_set to set certain key cookie behaviors like
ini_set('session.cookie_secure',1); ini_set('session.cookie_httponly',1); ini_set('session.use_only_cookies',1);
This is one of the security procedures I'm leaning toward using because just making sure cookies are httponly goes a long way in stopping XSS techniques for working with things like document.cookie.
In any case I'm using goddaddy for hosting so I'd like to know what others think you should do and what they do? Is there like any ultimate way of stopping session hijacks like prepared statements is to SQL injection making it almost impossible?