PHP

Possible to change/fake $_SESSION?

Hello!
Right now I'm writing an authorization form for mini-crm according to the following logic:
0. We look to see if this user has an active session, and if not, then.
1. I accept the entered login and password (md5) from the form.
2. If the login and password match the database, then.
3. I create session for the given user. And here the question
immediately arises : is it possible to fake this very session, which I bring to the user at the time of successful authorization? Of course, you can fasten the session to a specific ip, and write the ip itself to the database, but you need to have a list of ip if the person comes from different devices, and this is hemorrhoids ... If you can fake a session, then how in my case is it generally more optimal to protect ' with authorization? Thank you!