My two (or more) cents:
- Trust no one
- Filter input, escape output (cookie, session data are your input too)
- Avoid XSS (keep your HTML well formed, take a look at PHPTAL or HTMLPurifier)
- Defense in depth
- Do not expose data
There is a tiny but good book on this topic: Essential PHP Security by Chris Shiflett.
Essential PHP Security http://shiflett.org/images/essential-php-security-small.png
On the home page of the book you will find some interesting code examples and sample chapters.
You may use technique mentioned above (IP & UserAgent), described here: How to avoid identity theft