Set the HttpOnly flag on the session cookie. This prevents malicious scripts from accessing (stealing) the session cookie from the browser in IE and other browsers that support this feature.