From 95e05a0d51c034523fab629357e5fc9c065ecd58 Mon Sep 17 00:00:00 2001
From: Derek Jones <derek.jones@ellislab.com>
Date: Thu, 2 Sep 2010 10:20:54 -0500
Subject: added a teeny bit stronger wording to encourage use of database for
 sessions where validation is necessary or undesirable actions could occur by
 a user manipulating their cookies

---
 user_guide/libraries/sessions.html | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'user_guide/libraries/sessions.html')

diff --git a/user_guide/libraries/sessions.html b/user_guide/libraries/sessions.html
index a8e3b3496..3bd170d60 100644
--- a/user_guide/libraries/sessions.html
+++ b/user_guide/libraries/sessions.html
@@ -190,12 +190,14 @@ $this-&gt;session-&gt;unset_userdata(<samp>$array_items</samp>);</code></p>
 <h2>Saving Session Data to a Database</h2>
 <p>While the session data array stored in the user's cookie contains a Session ID,
 unless you store session data in a database there is no way to validate it.  For some applications that require little or no
-security, session ID validation may not be needed, but if your application requires security, validation is mandatory.</p>
+security, session ID validation may not be needed, but if your application requires security, validation is mandatory.  Otherwise, an old session
+could be restored by a user modifying their cookies.</p>
 
 <p>When session data is available in a database, every time a valid session is found in the user's cookie, a database
 query is performed to match it.  If the session ID does not match, the session is destroyed.  Session IDs can never
 be updated, they can only be generated when a new session is created.</p>
 
+
 <p>In order to store sessions, you must first create a database table for this purpose.  Here is the basic
 prototype (for MySQL) required by the session class:</p>
 
-- 
cgit v1.2.3-24-g4f1b