[eluser]WanWizard[/eluser]
Burn the book. Stone the author.
Just kidding.
The issue is that by default, because CI wants to accomodate everyone and everything, CI is configured to use cookie based sessions, and sessions are not encrypted because there is no encryption key set. So if you don't read the documentation, or you ignore what you read, you sessions are NOT safe.
So, what should you do? Simple: follow the docs:
- define a random encryption key in your application/config/config.php
- set "sess_encrypt_cookie" to TRUE
- ideally switch to database sessions("sess_use_database" = TRUE) so no data is send to the browser
If you do so, your sessions will be secure.