Starting with the session data, you should only store the user's id in a session variable. You should not store any user permissions in session variables. Doing so will prevent the user permissions from being changed, until the next time the user logs in. If you have a system where the user can perform an action, such as making posts, chat, shout-box, pm'img members, emailing members, ... you would want any change in permissions to take effect on the next page request, so that a moderator/administrator will have the ability to stop someone who is abusing the system or to have the ability to add permissions without having to tell the user to log out and log back in again for them to take effect. You should query on each page request to get the current user's permissions.
The user permissions should determine what the current visitor can see or what action they can perform on any page. The logic on any page should test if the current visitor is logged in, retrieve their permissions if they are, and then decide what to display or what action to allow on that page.
On the member(profile) page, it should use a get parameter in the url to determine who's information to display. If there is not an id in the url, you need to decide what to do. Should this display an error message? Should you redirect to another page? Should you display the current user's data using the user_id from the session variable, if any? This forum software displays "This user has not registered and therefore does not have a profile to view.", which is probably the same message/logic for when there is an id in the url, but that user doesn't exist.
If there is an id in the url, you also need to decide what to do. If the id in the url is not the same as the current visitor's or the current visitor is not logged in, what should happen? If the id in the url is the same as the current visitor's (viewing your own profile page), what should happen? In addition to displaying the profile information, you would display the link to the edit page in this case.
Repeat this defining process for the edit page. If the current visitor is not logged in and they browse to the edit page, what should happen? This forum software displays - "You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:...". If they are logged in and they have permission to edit their profile, you would retrieve the profile information using the user id from the session variable and populate the edit form with it. When the edit form is submitted, you would repeat these checks (if not submitting to the same page), so that only a logged in user, with permission to edit their profile, can cause the data to be changed.