Session variables are always stored and protected on the server. When using at least the default implementation of PHP. So yes, as long as it is installed correctly.
Only a unique identifier identifying the session is sent to the client.