Hi Di,
If you want to remain on Moodle 3.5, it may be worth considering upgrading to 3.5.12 to receive any relevant security patches, while remaining on the same major release version. However, if you do want to manually apply relevant patches, take a look at the security announcements page, where I publish all security fixes 1 week after they are released (which includes links to the patches). You can check the "versions affected" section of each announcement to see whether your version is affected. Currently for 3.5.x, fixes are listed up to 3.5.11, any any security fixes for 3.5.12 will be listed next Monday (18th May). For future updates, if you'd like to receive those security updates by email, if you register your Moodle site, there is also an option to opt into receiving security alert emails, the advantage being that you also receive them on release day (1 week earlier than they are published on the site).
I'm not sure if you're proposing to restrict IPs so that each user must be on a different IP, or logging a user out if their IP address changes, but I think there are some considerations to make for both. For the first case, that will cause issues for users on a shared network that may have a single external IP, and for the second case, users can switch IPs, for example if they are joining/leaving a WiFi network, and occasionally dynamic IPs can expire etc.
I don't think there is a lot you can do to prevent a login where someone has gained another user's cookie (assuming you don't know that it has been stolen and taken action to invalidate that session), because that is the way modern web applications function, the aim being to protect sessions from compromise. We do, however, work hard to ensure measures (such as capability checks and sanitizing) are in place to protect users as much as possible from these types of risks.
If you would like to enable httpOnly, there is a setting available in Moodle site administration to do so (Site Administration > Security > Http Security > Only http cookies), along with a description of some potential compatibility limitations that you should be aware of.