all CI users know that by default sessions are stored in cookies.

But what exactly is the point of this implementation? I really can't find a good reason.

OK, in a shared server people might gain access to the session files but what about the client side? I could change the data in the cookie as well and being a "one-way" method how do I even validate the data in session cookie on the server side? I find it very odd, not to mention the cookie could encounter problems of size.

I'm aware of the database method but what if I'm in a dedicated server with full control and I don't want to waste db resources to query the session table at very single page wouldn't have been more flexible/useful to offer by default the classic PHP method so I can validate the data with the ID in the cookie?

You can use CSRF protection and encrypt the cookies to strengthen the system against cookie manipulation.

If you are concerned about security, though, you absolutely should be using the db for sessions. Unless you have tons of users, the hit on the db will be negligible. If you do have tons of users, time to think about distributing the workload as the session lookup will be the least of your worries.

The client cookies are more for state. They can be used for things like "remember me" on login forms or for a page layout or something. They should not be used for securing your application.

You can not verify a session via cookie if you are not using db sessions as there is no where for the application to store the session id.

Please see http://ellislab.com/codeigniter/user-guide/libraries/sessions.html for more details.

Cookie based sessions provide a light-weight and fast mechanism for storing session information. They are also secure. Each cookie is encrypted using strong AES-256 encryption. However, cookies have a four kilobyte storage limit, so you may wish to use another driver if you are storing a lot of data in the session. The data is encrypted based off the hash in your config and CI also runs an update on the hash intermittently for more security. Storing the session in a cookie or in the database also is more ideal for server farms or clusters under high load. Many large corporations and other high traffic websites use this strategy for their sessions.

This being said I understand the concern to being limited to 4kb of data, having the data client side, and also having the data show up as a REQUEST on each page load. However, there is nothing keeping you from manually using the default PHP session or rolling your own session library.