How does CodeIgniter know a cookie holds valid session data?

Question

In CodeIgniter, session data are saved in a cookie by default. But there must be also a file on my server (named as the session ID) to verify that the data (in the cookie) i

Answer 1

The cookie contains an md5 hash of the session data and the encryption key of the cookie which is verified at loading the data, see system/libraries/Session.php, function sess_read() lines 140ff:

// Decrypt the cookie data
if ($this->sess_encrypt_cookie == TRUE)
{
   $session = $this->CI->encrypt->decode($session);
}
else
{
   // encryption was not used, so we need to check the md5 hash
   $hash  = substr($session, strlen($session)-32); // get last 32 chars
   $session = substr($session, 0, strlen($session)-32);
   // Does the md5 hash match?  This is to prevent manipulation of session data in userspace
   if ($hash !==  md5($session.$this->encryption_key))
   {
       log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');
       $this->sess_destroy();
       return FALSE;
   }
}