Is it possible to edit session using session id

why do you need to edit session?

I count on permissions for each user what I want to do not to fetch the user permissions from the database every time he make a request rather I want to save it to a session but what if the Admin changed the permissions and the User start to navigate the website with old permissions that why I want the admin to edit any session he have on the server with out the interfere of the user

Personally I would prefer to check the database. Its what its made for! And I could imagine this giving you loads of headaches down the road.

But check this link https://stackoverflow.com/a/2892621/1305117

What I've done is to force the user to logout once I change his permissions

You're far better off simply checking against a "Role" on the Database. Using Session for permissions isn't a very robust way of doing it, given that sessions can refresh and more importantly, you're having to find a rather hacky method of changing it to reflect the changes you've made.

Personally, I just have a middleware check on a constructor on all my Controllers, that checks what they are, or aren't allowed to do, combined with Policies to prevent anything going through that shouldn't.

If you're changing someones permission, you're potentially forcing them to log out to see that affect and it's not very user friendly. If you're discussing here a Ban, that makes sense, but just invalidate the session after the ban is issued.

If you're talking about letting someone access a new part of the site, making them relog to access it is super un-intuitive for the end-user.

What is it you're exactly trying to do with these permissions?

it's employees system so changing permission is not that usual as you will do it three times at max at the employees life span but I totally agree with you that this way is not the proper way to do that but hey using database to fetch permissions every single time is a total loss for the sake of performance Imagine with me that you fetch permissions for thousands of employees every single request but using sessions is much much lighter

You're already fetching the User I assume, so would a simple Role on that user be that intensive that it wouldn't be a workable solution?

Does each member of staff have varying permissions, or is this "Role" based where you maybe have clear and predefined titles that handle the responsibility.

You could do simple Middleware checks, or use Policies (or both, as I do) to determine if the User is allowed to perform these actions. This would be updated the moment you change their role, wouldn't require you to invalidate and re-build, or at least edit their Session.

I've never heard of dealing with anything like this. First, send a notification to the user if they have a different role now. When they log in again their new role will be properly set using "out of box" authentication.

You also have to consider authorization. This is a question that really left me puzzled, no offense.

each employee has his own special permission and saved as json inside the database as it's crud permissions on each module so no roles here

cache the permissions using regular laravel caching, and invalidate the cache if permissions for a user are changed