Where is the safest place to store session id's on shared hosting

[calabiyau]

Hi, quick question.  I have recently changed the save path of my sessions on the coding level to be one level above the root directory of my domain.  I am on shared hosting and thought I read it was a bit of a security problem as anyone on your host can have access to the session id's.  Was this the right thing to do to change the save path?  Is it safer?  Are my sessions safe in that location and is there any way they can be accessed?

[psychohagis]

I dont know much about this, but I thought session ids were saved in cookies

[calabiyau]

Well they are but a matching file is saved on the host's server in a temporary directory that is common to all websites that use that host.  I wanted to change it to a private directory that only I could access, but am not sure if it is secure, even though it is one level above my domain directory.  Anybody know?

[wildteen88]

If you are on a shared host then I would save the sessions to a private directory in your webspace. The best place would be outside of your web root (the web root is the directory in which you upload you files to). That way it is inaccessable from people browsing your website. Only you can read that directory (via FTP).

[ShogunWarrior]

I think the bigger problem is that through scripts or CGI a different user on the system could access someones sessions.
As far as I know the most secure way would be to handle all the session calls through MySQL using session handler functions.