I save some important info in $_SESSION, not in $_COOKIE. So, my question, is it dangerous? Or hacker is not able to edit $_SESSION and I'm fine?
Thank you.
edited:
By the way, is it possible also to edit $_COOKIE? I heard yes, but if yes, then how?
$_SESSION is stored on your webserver, so it's not possible to directly alter it via the web. Of course, your PHP application can update $_SESSION, so it still might be possible for an attacker to trick your application into doing something to $_SESSION that it shouldn't - it all depends on the specifics of your application.
$_COOKIE is stored on the user's browser, which means that the user has the power to change their own cookies.
One of the main uses for cookies is authentication. A user logs in and information is stored in $_SESSION. A cookie (stored in $_COOKIE) records the session id of the user so that your application knows which session belongs to the logged-in user.
$_SESSION is stored server-side. The best a hacker could do would be substitute another user's session for the existing session, but the hacker could not insert arbitrary data into $_SESSION. $_COOKIE is, however, stored client-side, so a hacker can insert arbitrary data into the cookie, by just editing the cookie.
Cookies are sent via the user-agent every time a page is requested. The user-agent doesn't need to be a browser. It could be a small shell script. Even if it is a browser, there's an "edit cookie" extension for Firefox.
If you're worried about people altering sessions (session hijacking) look into session_regenerate_id()
$_COOKIE contains information that the client sent to your web server. Most commonly this is the contents of browser cookies but t could contain ANYTHING, so don't trust it.
By default, the $_SESSION is already backed by a cookie with the name phpsessionid (so that the server is able to identify the client and associate it with one of the sessions in server's memory). If a hacker knows the cookie value of someone else and copies it in its own cookie with the same name on the same domain/path, then the hacker has access to the same $_SESSION. The cookie value is however long and random enough to minimize the risks the session being hijacked within half a hour (the default session timeout).