Ktor login

I am trying to make a login script in ktor using basic sessions.
install(Sessions) {
cookie(
“login_session”
){
cookie.path = “/”
cookie.extensions[“SameSite”] = “lax”

        }

    }

This is how I create the session. GEt /login returns me the form , POST /validate is validating the user input using an ajax call from /login page. But the session acts like a cookie, meaning that i can change it’s value, as well as read it’s value whic is plain text. How can I prevent this?