At the very least, the data (encrypted or no, but it should probably be encrypted) on the server related to a session lives outside the webroot, whereas in a cookie, even if it is encrypted, it's still essentially public. If there's no reason to have that data, explicitly, exposed in the client then why put it there?
