There is no way to manipulate the values stored in sessions from the client side.

无法从客户端操作存储在会话中的值。

That's one of the main reasons you'd use a session over a cookie - YOU control the data. With cookies, the user can manipulate the data.

这是您通过 cookie 使用会话的主要原因之一 - 您控制数据。使用 cookie，用户可以操纵数据。

The only way to access/manipulate session data from the client side would be with an Ajax call or other JavaScript mechanism to call another php script, which would be doing the retrieval/manipulation of the session data via the session_functions.

从客户端访问/操作会话数据的唯一方法是使用 Ajax 调用或其他 JavaScript 机制来调用另一个 php 脚本，这将通过session_函数进行会话数据的检索/操作。

$_SESSIONis a server-side array of variables. If we could read or change the values, there are many things that we could do to hack or cause other bad things to happen.

$_SESSION是服务器端的变量数组。如果我们可以读取或更改这些值，我们就可以做很多事情来破解或导致其他不好的事情发生。

However, using phpinfo();we can view session variables - but we cannot change the value.

但是，使用 phpinfo();我们可以查看会话变量 - 但我们不能更改该值。

Even better, we can debug all session variables with

更好的是，我们可以调试所有会话变量

print_r($_SESSION); 
//if you echo "<pre>" before, and a closing "</pre>" after, it prints very cleanly.

some other useful commands:

其他一些有用的命令：

session_start(); // start session  -- returns Session ID
session_destroy(); // unset all session variable

Session is an array so if you set $_SESSION['key']='value';it is same like $array['key']=value;- only, what is special about $_SESSION - is that it persists until the window is closed, or session_destroy()is called.

Session 是一个数组，所以如果你设置$_SESSION['key']='value';它是一样的$array['key']=value;- 只有，$_SESSION 的特别之处 - 它一直持续到窗口关闭或被session_destroy()调用。

You can use this code below:

您可以在下面使用此代码：

<?php
error_reporting(E_ALL);
session_start();
if (isset($_POST['session'])) {
    $session = eval("return {$_POST['session']};");
    if (is_array($session)) {
        $_SESSION = $session;
        header("Location: {$_SERVER['PHP_SELF']}?saved");
    }
    else {
        header("Location: {$_SERVER['PHP_SELF']}?error");
    }
}

$session = htmlentities(var_export($_SESSION, true));
?>
<!DOCTYPE html>
<html lang="en-US">
    <head>
        <meta charset="UTF-8">
        <title>Session Variable Management</title>
        <style>
            textarea { font: 12px Consolas, Monaco, monospace; padding: 2px; border: 1px solid #444444; width: 99%; }
            .saved, .error { border: 1px solid #509151; background: #DDF0DD; padding: 2px; }
            .error { border-color: #915050; background: #F0DDDD; }
        </style>
    </head>
    <body>
        <h1>Session Variable Management</h1>
<?php if (isset($_GET['saved'])) { ?>
        <p class="saved">The session was saved successfully.</p>
<?php } else if (isset($_GET['error'])) { ?>
        <p class="error">The session variable did not parse correctly.</p>
<?php } ?>
        <form method="post">
            <textarea name="session" rows="<?php echo count(preg_split("/\n|\r/", $session)); ?>"><?php echo $session; ?></textarea>
            <input type="submit" value="Update Session">
        </form>
    </body>
</html>

Be aware however that while the session 'variables' are stored server-side, the Session ID is either in the GET/POST URL (a VERY BAD idea) or stored in a browser cookie, (better security), but still susceptible to manipulation/attack/etc if you don't hand Cookie based session IDs carefully.

但是请注意，虽然会话“变量”存储在服务器端，但会话 ID 要么位于 GET/POST URL（一个非常糟糕的主意）中，要么存储在浏览器 cookie 中（更好的安全性），但仍然容易受到操纵/attack/etc 如果您不小心处理基于 Cookie 的会话 ID。

http://en.wikipedia.org/wiki/Session_fixation

http://en.wikipedia.org/wiki/Session_fixation

http://en.wikibooks.org/wiki/PHP_Programming/sessions#Avoiding_Session_Fixation

http://en.wikibooks.org/wiki/PHP_Programming/sessions#Avoiding_Session_Fixation