It is based on the observation that most apps only store the user ID and other non-sensitive data in the session. Storing the session in the cookie then brings many benefits. It does not require any server side session store maintenance, it is very fast and scalable because no database lookup is required. The fact that this store should not be used for storing sensitive information is well-documented in the Rails security guide. For storing sensitive information, one can use many of the alternative session stores available, such as the ActiveRecord session store which saves session data into the database.
We at Phusion have created an encrypted session store in the past (http://blog.phusion.nl/2010/04/13/announcing-encryptedcookie...). However we've found it to be of limited use (and indeed, it doesn't look like many people use it). If your data is sensitive then you're better off storing it on the server. If your data is not sensitive then encrypting it doesn't help you.
We at Phusion have created an encrypted session store in the past (http://blog.phusion.nl/2010/04/13/announcing-encryptedcookie...). However we've found it to be of limited use (and indeed, it doesn't look like many people use it). If your data is sensitive then you're better off storing it on the server. If your data is not sensitive then encrypting it doesn't help you.