Jks

In a PHP membership website hosted in shared hosting, the session used to timeout in 30 minute after closing browser. We solve that problem by creating users.ini file and creating folder 'session' in public_html. In users.ini file session.cookie_lifetime, session.gc_maxlifetime was extended also session.save_path was set to new directory path. The values of session.cookie_lifetime, session.gc_maxlifetime and session.save_path also set in each PHP program. We are facing a new problem about securing folder session that's storing PHP sessions. These are some queries that I have in this regard. 1) Is it possible to have session folder above public_html to avoid direct access? If not then what can be done to secure that folder? 2) Is anything needs to be mentioned in .htaccess to secure users.ini file or session folder? (It currently uses following in .htaccess file: Options -Indexes <Files php.ini> order allow,deny deny from all </Files>) 3) Can anyone directly access session files like sess_xyz123 created in session folder? (We can't browse session files by visiting url www.domain.com/session/sess_xyz123) 4) The session folder gets populated with session files for each user visit to website. How to remove empty session files that are no longer needed when user leaves website? Looking forward to your reply. Thank you.