[eluser]WanWizard[/eluser]
I think you're missing the point.
Sessions are used to create state in a stateless environment. It provides server-side storage where one request can store data, and a later request can retrieve it again.
What this data is, and whether it's flash data or permanent data is imho totally irrelevant.
When it comes to authentication, all you need to know is "which user is owning this session?", so you can restore the user or logged-in context at the next reload.
We have quite an extensive security system, yet we only store 3 fields in the session secord: the user_id, the authentication_method used, and a hash value that is used for security reasons.
Yet from a session point of view, these are three variables like any other session variable. Why would you make things complicated and keep that separate from all other session variables?
Storing 'messages' in a cookie is a daft idea. Messages have only relevance server-side, why would you send them to the client?
