[eluser]WanWizard[/eluser]
As I wrote, it only encrypts the cookie if sess_encrypt_cookie is set to TRUE. By default, this value is FALSE.
If the session cookie is not encrypted (due to the aformentioned flag), an MD5 hash is added to the cookie value, which is generated on the cookie contents + the encryption key set in the config.
So, with the current CI version you can't tamper with the values unless you regenerate the MD5 hash. And you need the encryption key for that, which I hope is set in your app, and completely random.
If memory serves me right, the encryption key was introduced in CI 2.0, which means this tutorial is probably make using an older version, which didn't have this extra security measure...
Still, although tampering might not be that easy now, the session data is still readable, which is something you should avoid. Never expose server data to the client.
