In an older thread Dr Byte said:

The webserver handles SSL and NONSSL activities as separate activities from separate sites. This runs the risk of having your session data not available if the filesystem references aren't available from the "other" site.
Granted, if all the files are handled from the same place, the risk is limited.
However, if it's all stored in the database, it's all available regardless of which server it's coming from.
Further, having any security information left in O/S files is a sensitive issue to many.
Also, files are vulnerable to changes made server administrators related to permissions. If 777 rights were ever prevented by the admin, your site would be down until the sessions files could be written again.

Both options work, but I recommend database for almost all cases.
1. Can I do this through the control panel? Configuration>Sessions ?

2. This is prompted by a customer wanting secure login. Currently I'm using the default settings for what is and isn't secure. Can someone tell me where the default ssl settings are as we notice since our 1.3.2 upgrades that some admin pages are secure and some are not as well.