PHP Can a client ever set $_SESSION variables?

Question

Is there any scenario where a client/user/hacker can set $_SESSION variables themselves (excluding malicious software running on a server computer. I mostly mea

Answer 1

Yes if you were assigning $_SESSION variables directly to unfiltered user input.

Which brings me to my point: NEVER TRUST INPUT FROM THE USER. EVER

If indeed you are filtering the input, then I don't see how it could be done.