Since the default /tmp is usually open to all accounts in a shared host it’s generally advised to use session.save_path and set a different location.
Is it assumed that a better location is in /home/username/example_session_tmp/ as long as it’s not in /home/username/public_html/?
If so, wouldn’t that still be vulnerable in case a hacker were able to inject a script in public_html and read ../example_session_tmp/? Or is it the only way and it’s generally assumed your site is secured from script injections?
Note: Database session handler is an alternative option but let’s assume it’s not possible.
If a hacker gets a script into your site, there isn’t a lot you can do to stop him from snagging sessions. If your webserver has access to the sessions then that user will. No matter where you stick it the hacker can find with with a simple call to
session_save_path.To sum up:
~/sessionsshould prevent other shared hosting users tampering with your sessions. This does not prevent someone who gains access to your webserver from seeing and tampering with sessions.