You shouldn't use the default /tmp to store sessions, as it highly unsecure because it's world-readable
Instead, here's an alternative method:
- FTP to your web space root directory, where you should see /web and /logs
- create a new folder called _SESSIONS
- CHMOD the folder to 770
- in your scripts, before calling session_start(), add the following lines:
$doc_root = eregi_replace("\/web$", "", $_SERVER["DOCUMENT_ROOT"]);
ini_set("session.save_path", "$doc_root/_SESSIONS/");This will then set the sessions to be saved in _SESSIONS in your hosting space, safely outside the /web directly and only accessible through your scripts.
NOTE: For this technique to work without causing permission problems, all of your sites session enabled files must be uploaded using the same FTP account.
