[eluser]WanWizard[/eluser]
EVERY session solution works with cookies. It's the only way to link a specific browser session to server-side data.
PHP's own solution stores the session id unencrypted and unsecured in a cookie, which makes it very easy to hijack the cookie and steal someone else's session. CI's cookie is encrypted, and contains extra hijacking countermeasures like the user's IP and browser identification, makeing it difficult to use a stolen cookie.
There are third-party libraries available that replace CI's session library. Some of them use CI's cookie mechanism (which is a good thing), other PHP's solution (which is a bad thing). The 'native session' library does the good thing, but also uses PHP's standard session storage on the server. Which might be a very bad idea if you're on a not properly secured shared server, as every PHP script is able to read all session files, also from other websites running on that same host, unless special precautions have been taken.