Using session class for secure logins

[eluser]WebsiteDuck[/eluser]
Sorry to bring up a 3 month old thread but I share the concern about CI sessions being insecure.

If you are not going to use encryption+database (which would be more secure) then you should just use PHP sessions.

In PHP sessions, an attacker can compromise one account by hijacking the sessionid, which is unlikely but not impossible. Data is stored server-side and cannot be changed by a user unless they have access to the webserver.

In the default CI sessions, any user can modify their cookie and change, for instance, their logged in username. This compromises every account.

Using CI sessions with encryption and database would be more secure though, I believe. This should make sessionid hijacking less likely.

So thats my two cents. Coders should not assume default CI sessions act like PHP sessions, or they risk being insecure. Feel free to correct me if I'm mistaken anywhere.