OK I have finally got around to handling sessions in my controllers. I see that session->set_userdata() stores information in a cookie on the user's machine. I know you can encrypt your cookies, but I am reluctant to store sensitive data or values that could be manipulated by a malicious user in this fashion. I am accustomed to storing ONLY a session ID in the cookie and storing information related to that session ID on the server (where it cannot be directly manipulated by the client.
Is there some way to make sure that the session contents are stored on the server and only the session ID is stored in the user cookie?
