Php – Understanding session save path as no value and security

php, security, session, session-variables

I only use sessions to store variables and was hoping to ensure that the session save path could not be tampered with by any of the users. So I went to check my phpinfo and found that the session save path was set to no value. Is this normal for users who only use sessions for variables? Do I have anything to worry about if the sessions save path is set to no value?

Best Solution

The default value for the session.save_path setting is "" (empty string), which defaults to /tmp.

From a "working" standpoint, there is no need to worry that it's set to no value (as that's the default); however, from a security standpoint there is.

Warning from the manual:

If you leave this set to a world-readable directory, such as /tmp (the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.