[eluser]WanWizard[/eluser]
Which is true for any encryption mechanism, including yours. So what makes your solution more secure?
It is not the encryption mechanism that is the weakness (that is published), but the key used, and if the hacker can obtain the key, the hacker can do that in both cases.
You say that the session id alone is not enough to access the session. What else is required then? And is that always available?
The biggest issue you have with sessions is exactly that, how do you securly tie a server side session store to a specific session? User agent is unreliable, IP address is unreliable (and can even change within a session), what else is there? Session id rotation is a commonly used mechanism to reduce the window of opportunity, but has severe issues when it comes to concurrent access, so imho not a real solution either.
I understand the dependency, but my point is that the majority of CI users use CI because of it's support for legacy platforms, I think the people using it on a 5.4+ platform is a minority. Also, using it will make your application a lot less portable, because you introduce the version dependency, which will make people reluctant to use your library.
