How to implement a secure session management system in PHP (and generally)?

Developers, especially unexperienced PHP developers, have a tendency to not care much care about security-related issues. This is true for the problem of secure sessions, too - and the reason why attackers of a certain website or service can easily hijack sessions to get access to data, which they should not have access to. Because HTTP is a stateless protocol, sessions are required to identify a certain client on multiple requests. In PHP this identification is done via "session IDs", which are exchanged by the client and the webserver on each request (the session ID may be stored as a Cookie, in the URL or hidden field). The server stores the session ID locally to identify a certain client if the session ID is available in a certain request. If an attacker is able to steal the session ID of a certain client, the server will "think", that the attacker is the client. As a result, the attacker will be able to do everything, the client is allowed to do. How do I implement a session management system in PHP (and generally), which is more secure and more protected against "session hijacking" attempts?
Subscribe to session