Written in PHP, these compatibility functions differ from the built-ins in one respect: they don't serialize/unserialize objects.
We currently sign and apply a blacklist on cookies, so this doesn't add any security value there.
But PhpSecInfo has a test that unserializes content from php.net.
(In ) fixes #1900 - use safe_unserialize() for third-party content; for signed cookies, replace serialize/unserialize with more compact, json_encode()/json_decode()
(In ) Fixing broken tracking, json_decode returning objects but code is using the data as array Refs #1900
(In ) refs #1900, fixes #1911