I am thinking about storing session cookies instead of using session 

variables. However, one thing I am unsure of is that can a user manually 

change the content of the cookies assigned to him?



for example, if I want to have a site protected only by ASP based on 

session cookies, is it possible that he manually edits his information in 

the cookies and elevate his own privilege? (I wasn't able to do that in 

neither netscape nor ie, but I am not certain if there is other methods I 

am unawared of)



thanks