If a user successfully logs in and passes security checks (username, password, 2fa... whatever) and the hypothetical PHP login system then does something like:

session_start();
$_SESSION['logged_in_userid'] = 1;

How safe is it to then rely on the existence of that $_SESSION value 'logged_in_userid' as proof that this person really did actually previously pass the full security check? Not very, I'm thinking.

If by XSS someone was to determine the PHPSESSID, and manually add that to their own local cookies. Are they not then going to be automatically assumed to be logged in when they visit the same system?

If so - would a resolution be to record, at login time, also in the _SESSION the: REMOTE_ADDR, HTTP_USER_AGENT and X_FORWARDED_FOR and compare at each request time not only the _SESSION logged_in_userid but also the _SESSION REMOTE_ADDR etc etc with those found in the current _SERVER vars?

Or is that flawed also?

It actually is secure but you need to do some extra stuff to make sure that someone can't 'hijack' the session by XSS for example as you mentioned:

static protected function preventHijacking()
{
    if(!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent']))
        return false;

    if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR'])
        return false;

    if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT'])
        return false;

    return true;
}

The function above checks the IP address to see if it's with the original user and not by someone else.