If you have enabled global_xss_filtering = TRUE in config.php and your session is not encrypted,
then your session data get checked against a hash value to prevent user tampering.
Note that all data is stored in your cookie.
So if you set a ‘strange’ value in your session data like
it will invalidate your session
because when your browser posts your cookie, the input class of codeigniter does some xss cleanup in the values that seem dangerous (in XSS regards).
So in this case the
will be stripped, the hash check will fail in CI_Session class and the session will be destroyed to prevent possible hack.
I will not suggest to remove XSS filtering in any case, but make your session data is as simple as possible.
Cheers 🙂