DanielTheGeek:

You can disable passing session id's through the URL by turning it off in a .htaccess file or PHP ini file. This doesn't prevent the hijacking (made a mistake earlier) just makes it less vulnerable.
When use_trans_sid is enabled, PHP will pass the session ID
via the URL. This makes the application more vulnerable to
session hijacking attacks.
Another measure is to disable JavaScript access to cookies so a hacker cannot get access to the session id from a cookie using XSS.

lekropasky:
thanks. I kinda like the option d, but does that mean C/C++ codes are free from being reverse engineered?.

mnairaland:


To the best of my knowledge, session id are never sent via url by default unless you specifically request that it be sent via url.

If my memory serves me right, cookies get sent by url only when you do not allow creation of cookies on your computer.

Disabling javascript to prevent session hijacking by turning javacsript off is not a good idea because most applications need javascript and so it is not really a pragmatic solution. Besides, there are many other ways of preventing XSS without turning javascrpt off.

mnairaland:
From what I have gathered here this is my opinion on how to prevent session hijack.

DanielTheGeek:


Another measure is to disable JavaScript access to cookies so a hacker cannot get access to the session id from a cookie using XSS and also force cookies to be sent over HTTPS.
You can even go to the extent of storing the IP with the cookie and when they change, re-auth but some people's ISP's reallocate IP's quickly so you may end up annoying legit users.

DanielTheGeek:

Next time, read through well.. disable JavaScript access to the cookies.
The session Id stuff is still worth mentioning, so no one turns it on in production without knowing the risk.