2011-11-27, 08:17 PM
You can put this at the beginning of global.php:
ini_set('session.cookie_httponly', true);
It will only allow access to the session id via the HTTP protocol (Hence, JS won't be able to touch it.) but keep in mind it isn't supported in all browsers.