setting custom session variables

[eluser]tonanbarbarian[/eluser]
Technically if your session processing is just storing information the cookie it could be considered dangerous
But how often do you find a situation where someone has actually modified their cookie data?
The average visitor to your site would have NO CLUE how to modify the cookie data.

That said I prefer to put NOTHING in the cookie that is not needed. So if I can I will use a session library (like db_session) that stores all of the data on the server somewhere (in the case of db_session in the database) thus ensuring that the user cannot change any data except via the interface given in the website.

If all you are storing in the session is their choice of favorite colour or something innocent like that dont worry, but if you are storing anything to do with user authentication and validation it should not be in the cookie.
For authenticated sessions only a unique session id should be in the cookie.

Just my opinion