Encryption of session-id and cookies prevents the user from modifying the values. By changing the content, a potential attacker can perform denial of service attacks by triggering pathological (worst case) algorithm complexity on data structures.