Just received the results of a security audit - everything clear apart from two things
Session cookie without http flag.
Session cookie without secure flag set.
The application is coded in php and the suggestions to fix are:
Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:
php_value session.cookie_httponly 1 php_value session.cookie_secure 1
Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place...).