Lets just consider the trust that the server have with the user.
Session fixation: To avoid the fixation I use session_regenerate_id()
ONLY in authentication (login.php)
Session sidejacking: SSL encryption for the entire site.
Am I safe ?
See Question&Answers more detail:os