How dont they seem secure? They are not sent across the internet and the only way to obtain their data without you is to hack the actual server itself (and then you have to know where the session data is kept). I noticed by default its in the /tmp in Linux, and wherever in Windows (I believe its the session.save_path in the php.ini file), but this is easily changed. Im not the greatest in either security or webserver administration. But I believe as long as you have a secure server, your session data should be just as secure.
Just my opinion