Does anyone know how secure sessions are in php ?

Is it stored on the server ?
If so, can it be retrievec by a third party somehow?
If not, it must be stored on the client machine by PHP and encrypted I assume.

Info and links from anyone who has dealt with this would be appreciated