[eluser]BrianDHall[/eluser]
I ammend my previous statement - I don't use CI's sessions, I use OB Session library available from the Wiki.
2 simple reasons - 1) it keeps database stored session variables private. So if you want to set a session flag of user_is_moron to True, the user won't know even if they look at their browser's cookie
No need for encryption
2) Related to 1, if you store session info in a database all it transmits to the user's browser is the bare minimum of session ID. This makes it easier to retrieve the session ID itself for use in hacky sorts of behaviors, such as switching sessions to allow proper handling of shockwave flash connections, and I don't see why the client should ever be sent more information in the cookie than that, really.
It Just Works just like CI's native sessions, only I consider it better in these two respects. I've used it on four projects so far without a hitch.