||The PHP Scalability Myth|
|Subject:||Hidden variables for session state?|
Response to: Hidden variables for session state?
If you're putting the session in the db, you just need to send a cookie containing the id to the browser. This id wouldn't need to be encrypted all the time; you could simply give the browser a large random session id at the beginning, and you would therefore protect your sessions from spoofing.
Hear us Roar