The refresh token is used with the client secret to make a new access token for that user.
If they broken into your server, then they have both of these from looking in the database/wherever sessiosn are stored, and the files containting the secret…
Both need to be stored (and if encrypted reversabley encrypted)
You wouldn’t normally store a refresh token in session, since a session doesn’t last forever, and conceiveable you’d want to store the refresh token for usage until the user unlinks your application. So it doesn’t make sense to have the refresh token in session.