[cies]

i can think of only one case: that in which the site owners dont want the user (or sidejacker in case of a non-SSL connection) to see some data they wish to put in the cookie.

i'd cannot think of a web app i worked on where this was needed.

(the hashing is cool though -- tinker prevention is common to be a-good-thing)

[shadowfiend]

Notably, this would only happen if you have data in the user's session that the user themselves cannot get to by using the site. I confess I can't think of any such session data, but I suppose it could exist.

And yes, some sort of HMAC is pretty much mandatory if you're going to do client-side session storage securely, no question.