IANA security expert but I think session info is somewhat protected by the short TTL. The amount of time required to get at the session data should (hopefully) exceed its window of validity.