By having a user authenticate themselves you can control what to show them, what they can access and what their capabilities are. Session management just helps you keep track of who is who during the request -- your script logic will still need to determine what capabilities they have. You'll often see a database used in these situations as well. You can define the capabilities right in the database security for some databases and/or you may to chose to manage your own user security levels.

I think you are mixing two categories. Sessions are only for user authentication, so you know who is who.

if you use database then you can store there information, eg

user, permission
root, 5
mark, 4
jane, 2
 , 1

then in php get user name

$user = $_SESSION["user"];

ask database, eg mysql: SELECT permission FROM base.table WHERE user='$user';

And then you have variables user and his permission level.

Hope it answers you a bit.
Best regards in New Year!
Michal Cibor

Just remember that Sessions do time out where cookies do not. I used Sessions in my eCommerce set up to track orders with a default time-out of 20min, but have noticed that many orders need to be placed 2 or 3 times before they are completed because people are just that slow.

If you need to have permissions set for an unknown period of time you should probably think about using cookies and setting them to expire after an hour or erase them when users "log out"