Can a user modify a PHP session?

Question

Page1.php:

Page2.php

Answer 1

No. The data in the $_SESSION variable is stored on the server, inaccessible from the user.

A session is coupled to a user through a cookie. A cookie with a identifier (i.e. a long random string) is sent to the user to identify the user and link him to his session. If somebody else gains access to this cookie, he can use that same code to pretent he is the user, and that way he can get in without the password.