2

On shared hosting, we had occasional problems when the server's /tmp directory was full. Our hosting company suggested we change the session save path to be unique for each site.

ini_set('session.save_path', DOCUMENT_ROOT . '/_SESSIONS/');

Yes, that puts our sessions in the web root. We deal with potential privacy issues by including a .htacces file in that folder:

deny from all

This works.

We have now moved to our own managed server. The default session save path on this server is /var/lib/php/session. Is there any good reason to continue overwriting this to /var/www/vhosts/example.net/httpdocs/_SESSIONS/?

TRiG
  • 1,167
  • 2
  • 13
  • 30
  • "change the session save path to be unique for each site" - If you are using separate _accounts_ on a shared host to host each site, then the session save path should already be unique for each site (unless there is a server misconfiguration). However, if you are using cPanel-like "Addon" domains on a single account to host each site (not recommended), then yes, everything will be lumped together by default. – MrWhite Dec 15 '16 at 12:29

1 Answers1

3

I don't see any reason why you should need to change it from the default on a dedicated server, unless it happens to be set to a somewhere with a small partition and you're worried about running out of space (as was the case originally). I'm guessing the two paths on your new server are the same partition looking at the paths so that's a moot point now.

I personally would want it outside the webroot regardless of .htaccess security. It just doesn't make sense to put it there, then try to secure it, when it can just as easily be outside the website.

On a shared server I would probably want my sessions in my own directory. Depending on how good the security is, putting them in the same place as every other site could let other sites access my session data.

USD Matt
  • 5,321
  • 14
  • 23