Beginner web developers may not be fully aware of the security vulnerabilities from shared hosting. Most shared hosting servers work by having a common php installation that uses the same php.ini configurations to run. What this means to the user is that all session information for all users are stored in a common directory on the server. This can allow for users to access the session data for another user’s website and use that information to bypass your sites authentication security.
The good news is that php has multiple methods for modifying the path that session information is saved so that you can put it in a directory that only your user has access to. Taking the time to modify the session.save_path configuration is just one more way to secure your website and any users’ data.
Method 1: Modify the php.ini file
The php.ini file contains the settings used by php upon run time. To update this file simply do a search of the session.save_path and modify the value to a path that is inside your user directory but outside of the web root. For example if your user account was /users/abc123/ and your website was at /users/abc123/www.example.com/ then you would want to have your session information stored at /users/abc123/temp or similar.
session.save_path = /users/abc123/temp
Method 2: Set the path using the session_save_path function
If you don’t have access to modifying the php.ini file then your second option is to use the session_save_path method. This method can be used to both get the current path as well as to set the path. Simply call this function before you do any session handling in your php pages to have it use your desired path.
Method 3: Set the path by use of the ini_set function
The ini_set function can be used to override most of the settings that you can set in the php.ini file. It allows you to pass a key value pair of the configuration to be set and the value to give it.
Modifying the session save path from a shared directory is one more step you can take to secure your php websites. One item to note is that the directory must exist as the session handler will not create the folder if it does not.