I only use sessions to store variables and was hoping to ensure that the session save path could not be tampered with by any of the users. So I went to check my phpinfo and found that the session save path was set to no value. Is this normal for users who only use sessions for variables? Do I have anything to worry about if the sessions save path is set to no value?
The default value for the
session.save_path setting is
"" (empty string), which defaults to
From a "working" standpoint, there is no need to worry that it's set to no value (as that's the default); however, from a security standpoint there is.
Warning from the manual:
If you leave this set to a world-readable directory, such as /tmp (the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.