There are all sorts of things one can do to make a site more secure, but even if you did all of them, you have no guarantee that your site is “fully” secure.

For instance, if you’re storing user login information in a database: did you put in protection against SQL injection? If your login page also contains a registration form: do you have protection against XSS exploits? Are there minimum requirements that the passwords must meet, or can users make their own (often very bad and easy to guess) passwords? There are some matters you can take into your own hands, but there are always things that, unfortunately, you won’t think to protect against (because no one would’ve thought of them) until they’re actually exploited. There are innumerable routes of attack for a site, and an equal amount of ways to protect against them, and it would take me far too long to delve into all of them (not that I’m all that security-savvy myself).

As the other answers have pointed out, sessions are maintained by a session ID, which is stored in a cookie on the client’s side. When a session is started, the ID is generated; this ID is then used by the client’s browser to identify data stored on the server side as belonging to that browser. To prevent this ID from being stolen, the connection should be encrypted using HTTPS; however, something to keep note of is that if you have any references to external resources in your page (e.g.: an image from another site, a script from another site, etc.), the connection will only be partially encrypted (namely, the parts that aren’t external resources). This is less secure than full encryption for obvious reasons; to prevent this, I download all external resources into the local directory whenever possible.