Understanding the way to save a session as value and security

Question

Understanding the way to save a session as value and security

I use only sessions to store variables and was hoping to make sure that the session save path cannot be tampered with by any of the users. So I went to check my phpinfo and found that the session save path doesn't matter. Is this normal for users who use sessions only for variables? Do I have to worry about if the session save path is not set?

+4

security php session session-variables

jason328 Oct 4 '12 at 1:12

source share

2 answers

you can set save_path by creating / editing .htaccess with these codes:

 php_value session.save_path /mnt/stor1-wc1-dfw1/123456/www.domain.com/web/sessions php_value session.save_handler files

for more information visit this site: State Servers PHP sessions on cloud sites and how to fix broken PHP sessions

0

Hamid Jun 23 '16 at 21:20

source share

newfurniturey · Accepted Answer · 2012-10-04T01:18:37+0000

The default value for session.save_path is "" (empty string), the default is /tmp .

From a “working” point of view, there is no need to worry that it does not matter (as is the default value); however, from a security point of view, there is.

Warning from the manual:

If you leave this set in a global directory, for example / tmp (by default), other users on the server can arrange sessions to obtain a list of files in this directory.

Understanding the way to save a session as value and security

More articles: