Can PHP sessions be manually edited?

Question

Can PHP sessions be edited like cookies? Or they're stored on the webhost?

Answer 1

The session key is stored in the client's browser, while the data is stored on the server.

When the user makes a request on the server, their session key is sent across the network and the values associated with their key are retrieved from the specific session file on the server and are made accessible via $_SESSION.

It it possible to hijack another user's session if the key is intercepted, which is why you should have specific values in the session which associate to the user's computer/network connection (IP address, for example).

Answer 2

Session data cannot be edited by the user, as they are stored on the server. The user can, however, start a new session and ditch whatever session data he previously had. Also, you should be aware of portential security issues, such as session fixation.