I have an issue with session.save_path. The default is /var/lib/php/session but if I use that only the root user has access to it so no session data is being saved. If I create a /home/data/tmp directory everything works fine where /home is the web site root directory. So that begs two questions.
-
I read somewhere that you shouldn’t use a public directory for session stores because they can be hijacked by another user. So is there a problem using something like /home/data/tmp for the session store?
-
If I use the default, how do I give permission on this without making it public also and what level of permission do I give?
Thanks
Does anyone know anything about the session.save_path issue regarding security?
Have you considered storing the sessions in a database table?
I guess I was looking for best-practices information. Certainly if that is the way to go regarding performance and security, I’ll do it. My question I guess is more along the lines of what are the security and performance issues in the real world, what is the best way to do this. I’ll do the research on how to do it, it’s just that I’d rather not take the 10 years to figure out which is the best way to do it. I’m too old and by the time I finished that experiment good chance they wouldn’t let me play with my computer any more. 
You can make a private directory above the web root and give it permissions so that php can write to it. That’s where I normally store my session, db passwords, payment gateway information, etc.
By private directory above the web root you mean /root/privatedir, correct? Also, how do I identify php as a user for permissions? Is that just admin?
If your webroot is /home/, then create a directory above that (i.e. /home/…/private/) and chmod it to 0750
Excellent, thanks so much for the input. I am off to find chmod, haven’t used it before but I’ll get it. Thanks again.
Got it, thanks so much for the help. Works great.