在codigniter安装程序的application / config / config.php文件中，您可以选择加密cookie。

  $ config ['sess_cookie_name'] ='ci_session'; 
 $ config [’sess_expiration’] = 7200； 
 $ config [’sess_encrypt_cookie’] = TRUE； //从false设置为TRUE 
 

一旦设置了set_userdata（）和userdata（）方法，透明地处理会话数据的加密和解密。

此页面底部的codigniter会话配置选项的完整列表：

http://codeigniter.com/user_guide/libraries/sessions.html

I'm just getting into learning about sessions, and for my purposes, I want to create something that upon every request from the client, the server authenticates that user, and only then performs data-handling for that user.

However, I have seen a lot of examples with CodeIgniter where the session is set up as thus:

$this->load->library('session');

$newdata = array(
               'username'  => 'johndoe',
               'email'     => 'johndoe@some-site.com',
               'logged_in' => TRUE
           );

$this->session->set_userdata($newdata);

However, couldn't someone just create a cookie on their computer with a common username and the 'logged_in' state to true, and suddenly you're authenticated without a password? This seems like a security flaw to me, but I see so many examples like this.

What is the proper way to authenticate the user on each request?

In the application/config/config.php file of your codigniter install you can choose to encrypt your cookies.

$config['sess_cookie_name']  = 'ci_session';
$config['sess_expiration']  = 7200;
$config['sess_encrypt_cookie'] = TRUE;  // set from false to TRUE

Once this is set the set_userdata() and userdata() methods will transparently handle encrypting and decrypting the session data.

A full list of codigniter session config options is at the bottom of this page:

http://codeigniter.com/user_guide/libraries/sessions.html