[eluser]PhilTem[/eluser]
One can easily convince yourself
The thing with non-database stored sessions is: The data you store inside the session is stored on the user's side. Therefore he can easily sniff into the code and changes things. If you don't even encrypt your session-data then you're open to any type of session injection.
When using database stored sessions only the session-id is stored on the user's side. Nothing more therefore he can't sniff the code and change any data.
If you don't mind letting people read your session data or don't have any sensitive data to be stored within the session you can take some load off your MySQL-server and store the sessions on the user side.
But I personally always go with database-stored sessions. It's definitely safer