To prevent mitm-attacks you want to make sure the session cookie is only transmitted over a secure channel prefix it with the magic string "__Secure-". [1]
Like :
<?php
session_start( [ 'name' => '__Secure-Session-ID' ] );
?>
The cookie will not be available on non-secure channel.
(Putting this note it here probably goes unnoticed because of all the noise)
[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes