[eluser]WanWizard[/eluser]
@bretticus:
Your assumption is correct.
If you use database sessions (and you should, do not store user data client side!), the size of the cookie is limited by the size of the user_data column in your session table, and only the session_id, user_agent, IP address and last_activity timestamp is written to the cookie. These fields are needed to find the correct session record. Also, don't forget to encrypt the session cookie, so the session_id (and other fields) can't be retrieved and used for session hijacking.