I'm creating a dashboard where I have the front end on one subdomain and the api which is in php on another subdomain. I was looking for how to preserve $_SESSION between the two and found this. So what I'm inquiring about is since cookies are stored on the users machine and I'm sending the user id to the api, would they be able to manipulate this value and browse the app as a different user assuming I use session_set_cookie_params(). So I would be using $_SESSION in the api but this native function makes me think they'd be able to change the value.
I don't believe this method I've alluded to is of any danger (knock on wood) but I'm just going to go for the /api/ subfolder structure anyways at this point as having a separate endpoint seems to make things too spread out.