My site needs a way to know whether a user is an admin or not in multiple pages. So is it safe to store whether a user is an admin or not in session variable? Or is there a better alternative (Maybe another superglobal variable?), It will only hold a number.
Yes, I would say it's safe, well, safer than using something like a cookie (Because a SESSION is server side). You could also store the users IP (or other validation checks) which are then checked everytime the data is then used. This could be one option. Also destroy the session after a certain time / inactivity; it depends on the nature of the site though.
You can try logging in the admin first, and then generate a random security salt, assign this salt to session e.g. $SESSION['security'] = 1653e9gg4r99s@$7700)llls434rf853~, and then on your member's database table, you must insert this in session column. While the admin hops over pages, you can double check if the session salt still matches with the one recorded on the database. Session expiration will help also e.g. 45 minutes to generate a new salt, update database session column. Upon logout of the admin database session entries should also be unset. In my logged in sytem, I post salt as session, and then the IP address of logged in members.
Sessions should be fine, and the data could be secured more with encryption as stated in the post above. Sessions are actually PHP's way of encapsulating cookies thus cookies still are being used however session data cannot be accessed directly as opposed to cookies.