[eluser]WanWizard[/eluser]
CI can encrypt the cookie payload by setting $this->session->sess_encrypt_cookie to TRUE (or in the config).
Unfortunately, up until the latest release (2.1.0), the default is FALSE, which will open your app for this vulnerability.
imho opinion it should be TRUE by default to avoid beginners making errors like this, if you insist on using cookie-only sessions (which ideally you should avoid, don't send session data to the client).