So within a specific session I would not describe them as "secure".
In other words there is no specific goal to prevent a user from seeing their own session values.
That said, they're not easy to inspect - offhand I can't think of any overt ways to do it - but making them "secret" to the user has not been a goal. (In the absence of security goals, one should assume they are insecure.)
However I'm pretty sure one user would not be able to access the session values for another user (assuming the site is secure with TLS of course.)
Cheers
Bruce
Topic: Security Question: Session Values (Read 3492 times)