So I guess I am saying is, restrictions placed on a user only means you as the developer did not incorporate the best logic in your script or service. As for session high jacking, it not your problem if you have developed a secure system, the only thing you can do is educate your users so they understand what is the best way to use your service. I think people waste to much time on security, less is always better, because the more you try to protect against will result in more chances you have left a opening.
Less is always the worst possible security design flaw. Less means you're not covering the obscure less publicised groups of security exploits. A key concept in security is Defense in Depth - not only do you add a security layer to prevent an exploit, you can also add second and third layers which may be redundant but exist on the assumption the primary layer will fails.
Never assume a single protection is enough - it's not. Human error makes it impossible for anything to be a certainty.
If I took your approach I might filter incoming variables and nothing else. But what about escaping output? What about $_SERVER variable filtering? What about user verification and permissions? What about CSRF? etc.
Less is an idea that ignorant developers promote. Not being offensive here

It's just a fact of PHP, you need to educate yourself in PHP security before you realise more security measures makes a more secure application, esp. if implemented consistently.
Leaving any security implementation decision to users is a waste of time. The vast majority neither care or know what they are, and why they exist. Besides most PHP apps still need cookies and javascript enabled. What else can a user do???