How are codeigniter's session system separated with PHP's built in $_SESSION?

Question

As the manual says:

Note: The Session class does not utilize native PHP sessions. It generates its own session data, offering more flexibility for developers.

But when I store some data using $this->session->set_userdata(array('sample_key' => 'sample_value'));, in phpinfo() I can find sample_key and sample_value in that.

I hoped that the part

does not utilize native PHP sessions

to be meaning that it hides the session variables from phpinfo().

I'd always thought that it might be a security lack. Could it be?

As it seems, the values are urlencodeed.

Answer 1

CodeIgniter's "session" just stores the data in a cookie, and calls it a session. Native PHP sessions store the data on the server, and a "sessionID" in a cookie.

In phpinfo, you can see the variables, but it's your session, you can't see another user's session.