Cacher is the code snippet organizer for pro developers

<?php
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);

// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);

// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);
// OR if u want to add directly to setcookie function
setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);
?>

; Edit next files:
; /etc/php5/cli/php.ini
; /etc/php5/apache2/php.ini

; By specifying the HttpOnly flag when 
; setting the session cookie you can 
; tell a users browser not to expose 
; the cookie to client side scripting 
; such as JavaScript. This makes it 
; harder for an attacker to hijack 
; the session ID and masquerade as 
; the effected user.
session.cookie_httponly = 1

; It is also a good idea to make sure 
; that PHP only uses cookies for 
; sessions and disallow session 
; ID passing as a GET parameter:
session.use_only_cookies = 1

; PHP has ini setting to ensure session 
; cookies are only sent over secure 
; connections:
session.cookie_secure = 1

With .htaccess just need to add these flags: 
php_value session.cookie_httponly 1
php_value session.cookie_secure 1