relying on Session to restrict user behavior on server?

[addlistener]

As we know the Session object is exposed to the client. Should we do server check against the info in Session?

// server psuedo code 
if (session.id === someEntry.createdById) {
  // do sth..
}

Or simply put is it possible for a hacker to, let's say, change the user.id in session?

I'm using database session strategy. But I guess the same question applies to jwt strategy ( I vaguely remember that there's some secret to encrypt jwt but just to confirm here)

declare module "next-auth" {
  /**
   * Returned by `useSession`, `getSession` and received as a prop on the `SessionProvider` React Context
   */
  interface Session extends DefaultSession {
    user: DefaultSession["user"] & {
      id: string;
      // ...other properties
      // role: UserRole;
    };
  }
}

https://next-auth.js.org/getting-started/typescript#module-augmentation