Using session class for secure logins

[eluser]jedd[/eluser]
To augment the existing comments.

0/ yes - it involves reading the manual and config files - briefly, config.php/sess_encrypt_cookie=TRUE , encryption_key={insert your random 32-char string here}, and I'd suggest sess_use_database=TRUE too.

1/ sessions can be stored in either place. I concur with the recommendation to store them in the DB, in no small part because it means you can break the 4kb limit you have with cookies.

2/ apart from anything else, CI (by default) does not respect query strings - so, yes, you are protected from the type of url you cited

3/ fingerprinting each user seems like a lot of effort, with little return - certainly it hasn't really paid off for the US gov. I suspect that if you're asking if you need to do this .. then you probably don't (or you shouldn't be designing or security auditing auth systems)

4/ if you reckon the documentation says nothing about security, I suggest you haven't really read the documentation.