all CI users know that by default sessions are stored in cookies.
But what exactly is the point of this implementation? I really can’t find a good reason.
OK, in a shared server people might gain access to the session files but what about the client side? I could change the data in the cookie as well and being a “one-way” method how do I even validate the data in session cookie on the server side?
I find it very odd, not to mention the cookie could encounter problems of size.
I’m aware of the database method but what if I’m in a dedicated server with full control and I don’t want to waste db resources to query the session table at very single page wouldn’t have been more flexible/useful to offer by default the classic PHP method so I can validate the data with the ID in the cookie?
You can use CSRF protection and encrypt the cookies to strengthen the system against cookie manipulation.
If you are concerned about security, though, you absolutely should be using the db for sessions. Unless you have tons of users, the hit on the db will be negligible. If you do have tons of users, time to think about distributing the workload as the session lookup will be the least of your worries.
The client cookies are more for state. They can be used for things like “remember me” on login forms or for a page layout or something. They should not be used for securing your application.
You can not verify a session via cookie if you are not using db sessions as there is no where for the application to store the session id.
Please see http://ellislab.com/codeigniter/user-guide/libraries/sessions.html for more details.