As far as I know, yes. MediaWiki sets a session cookie with an ID that uniquely identifies the session. The session data itself is stored in some session storage (by default we let PHP handle it, on WMF we stick it in memcached, I believe). So unless there's some ridiculous vulnerability allowing people to obtain the value of arbitrary keys in $_SESSION, you should be fine AFAIK.
The contents of that session on the server are unencrypted, correct? Depending on what the secret is, he may or may not want to use it. For instance, that is probably a terrible place to put credit card numbers temporarily.
-- Ryan Lane