I dont know either why is this the default in rails.
In PHP you only have a session id in a cookie. When I first saw how it works in rails (ruby?) it blew my mind.
I don't want to think about how many rails user don't know this and send sensitive data to the client.
The advantage -- and it's often a big one -- is that you don't have to have a corresponding server component to translate session id to session state. The state is all in the client.
Edit: wouldn't have written this if I'd seen FooBarWidget's more detailed remarks first.
The session information is cryptographically signed, so you don't have to trust it! These stateless server frameworks are just using the client as a state cache.
I don't want to think about how many rails user don't know this and send sensitive data to the client.