Why does codeigniter store its sessiondata in a cookie?

Question

Why does Codeigniter do this? I mean isn\'t it very insecure if users can see which data is stored in their session? And and what if they change a value in the cookie?

Answer 1

Well, Codeigniter's out of the box interpretation of sessions is different to that of PHP sessions. You can still use PHP sessions if you want via the $_SESSION super global, but Codeigniter basically treats sessions as more convenient cookies. Although, you can make your sessions store in a database which is what I do and will prevent a user from changing session values.

If you want semi-secure session variables, use the in-built PHP ones if you don't want the hassle of making Codeigniter store session values in a database encrypted.

Everything is explained in the detailed documentation: http://codeigniter.com/user_guide/libraries/sessions.html