One thing you can do is track the user's IP address in the session data, and any time it does not match the current request's IP, make the user log in again. This is not a cure-all, but can help in some cases, in particular someone sniffing the cookies on a non-https connection (another good reason to use https?).
It's also a good idea to make the user log in any time they hit a particularly sensitive page and their last log-in was more than some arbitrary time in the past.
For more details and other ideas, I recommend Essential PHP Security.