Set PHP options session.cookie_httponly and session.cookie_secure to 1 to protect the session cookie value from being stolen with XSS and JavaScript.

You can see and modify the cookie attributes in developer tools and then run alert(document.cookie) in the dev tools console to see whether the cookie can be read with JavaScript.