In order to respect the users' privacy, I need to encrypt each user's information with a key that only they themselves know it. Server and anyone who can access the server or database are not supposed to be trusted
So, I am going to use each user's password to encrypt his/her security critical data. and this is the reason that I need to store the password while the session is alive, in order to encrypt and decrypt their informations.
And here is the question: If I save the password in a session, is it possible for an attacker with full access to the server to retrieve stored password from the session?
You question doesn't make a lot of sense.
I need to encrypt each user's information with a key that only they themselves know it.
You're talking about end-to-end encryption
I need to store the password while the session is alive
You know the users' passwords!
You should decide if you want to use end-to-end encryption (where they key never leaves the user's computer), or not.
is it possible for an attacker with full access to the server to retrieve stored password from the session?
Yes
Short Answer: Yes an attacker with full access to the server can retrieve the password from the temp session file.
Here is a quick example where we place the session file next to our php file and then read its contents.
<?php
session_save_path('./');
session_start();
$_SESSION['password'] = 'xc4qh8wzza1xmx6vhf0nfuzluigqxlj';
echo file_get_contents('./sess_' . session_id());
?>
The result is
password|s:31:"xc4qh8wzza1xmx6vhf0nfuzluigqxlj";
As you can see the data is stored in plain text and can be easily read.