I hope someone can help me.

My site been using cookies and i have decided to scrap cookies after finding to many security holes which i myself was able to hack in testing.

I have looked online and found nothing that is want i am after even my php books does not mention anything about session paths only about sessions itself.

Basically i was reading the session path can be changed, i am on shared web hosting server and obviously due to security pitfalls i want to change the session path.

I do not have access to the php.ini file so i looked up and noticed i could use session_save_path.

Thing is i cannot find how i actually use it,

1) Basically how do i tell it where the new session path is?

2) Do i need to use the session path on every page that uses sessions so it knows where to store the sessions?

3) Also would i have to specify the session path before the session_start(); ?

4) How would i write the directory to the session path? something like /home/sites/mydomain.com/ ?

5) Should i store the session path folder outside of the public_html area? and if so what should the CHMOD be? my host does not support CHMOD 777 but supports CHMOD 755.

6) How do i get around starting a session after header info etc been sent as sometimes i think i am going to need to send afterwards?

Sorry for all the questions, i have looked everywhere, in my books, google and php.net and cannot find answers to my questions.


7 Years
Discussion Span
Last Post by genieuk


You need specify a new path using an absolute path. It needs to be done on every page before session_start(). It would be pointless to store them inside the public_html as they would be public for everyone to see. That would be a bigger risk than using the default temp directory. 755 chmod would be fine. ob_start() would help you in sending headers after data has been outputted.

Edited by somedude3488: n/a



Thanks Keith,

All sorted, i am rather enjoying using sessions much more than cookies,

I have striped dozens of lines of code out my site and very little queries done now as when user details are verified and logs in i get them to store the info that i need about user in session so i can retrieve when i need across any webpage that i display want there information to be etc.

So happy i changed it and thanks for your help, worked first time




Hi Keith,

Yes i do realise that, i worded it wrong in my last post.

What i meant was it is more secure, specially after reading about security with sessions etc.

Works great.


This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.