Native sessions or CI sessions.

[eluser]WanWizard[/eluser]
I said that. Because that is the case.

PHP's native sessions uses a simple session cookie (by default called PHPSESSID), which contains only the unencrypted session ID.

Getting that is often quite easy, unless you never go to any website with your browser (I can do that using this forum if need be, all that's needed is a link to what you think is an image, and make sure you click on the link) . Once I have your session id, I can access the application with your credentials. I don't need to hack your server, and I don't need to hack your PC. You obviously don't have a clue of the dangers lurking in the real world.

As the session ID doesn't change unless you have programmed a manual rotation of the ID, I have all the time in the world to use that ID to access the site.

On shared hosting, the hosting company needs to take special precautions to make sure the server based session files are not accessable across websites. In my experience that is absolutely not always the case, especially for the low budget hosters. Write a script that scans the disk for session files, and just open them. Piece of cake (as your apache instance needs read/write access to those files).

If you refer to a CI session library that uses PHP's session mechanism, some of this issues might be mitigated since you're not using the full native PHP stack, you're only using the server storage side. Which makes cookie hijacking more difficult. Server side the story remains the same.

If you're concerned about speed, you should be worried about the fact that the standard CI session library (and all derived libraries) do a storage update every time you update the session. Which could explode the number of I/O's to the session storage backend within a single page request. Solving that issue gives a bigger gain in speed than mere switching from DB to file storage.

If you really want something fast, use a session system backed by for example memcached and remove I/O from the equation alltogether.

As to your last points, I prefer to ignore your remark about noobs. I've been busy with CI's session system for a very long time, I've written replacements that mitigate the shortcommings of the current library, and also wrote the session engine for another framework. I believe I'm entitled to say that I know what I'm talking about... Before you write a post like this, get your facts together, and come with arguments to prove I'm wrong. So far, I haven't seen any...