PHP Sessions Overview
A shared hosting environment offers interesting concerns for all parties involved with Sessions being no different. This tip is specific for PHP but the principles apply to other languages as well.
Before moving on it's highly recommended to first read the following PHP manual pages (not just skim, or read parts, but actually read!):
INI Directives
Tips on various PHP Session related directives:
-
By default (for ASO shared hosting environments) set to '/tmp', meaning session files are saved here for all users of the hosting server/computer
-
This makes it easy/possible for other users to peek in on (steal) this session data, and hijack sessions
Consider setting this directive to a path like '/home/yourusername/tmp'. Essentially you must:
-
Be sure the path exists (by creating it in FTP or SSH)
-
Since session.save_path is PHP_INI_ALL it can be set either:
-
In the PHP script itself using session_save_path() or ini_set()
-
Or in .htaccess
-
Or in php.ini
-
-
Setting to a home path also affects disk usage but typically these files are small