Whats the reason for putting sessions in the database when the ip is not checked and it couldnt be as there are dynamic ips. If someone changes his session value in the cookie and has the same user_agent data as the real owner of that session id? How the validation is actually done. It seems a bit unusable. Can you explain please? Thanks!

If you don’t want him to edit the session values, you encrypt the cookie. Storing session in the database helps prevent session hijacking. With this technique one can use somebody else session, claiming hes identity.