Initial

Initial php.ini Settings for Session Management

Before you get started with this chapter, you may have to make a couple of minor changes to your php.ini file so that sessions work correctly.

On Windows

If you are using a Windows version of PHP, the first thing you need to do is to edit your php.ini file. The default session setting in php.ini will not work correctly under Windows.

Open your php.ini file, which is found in c:\windows or c:\winnt, in a text editor and search for the line:

 session.save_path = /tmp  

Change it to a directory in which you keep temporary files, for example:

 session.save_path = C:/temp  

You could also leave the value as /tmp and create a directory named "tmp" at the root of the drive on which your Web server resides. For example, if your Web server was located in D:/apache/bin, then you could create the directory d:/tmp and you would not have to change the session.save_path setting in php.ini.

A good indication that the session.save_path has not been set correctly on Windows is if Apache crashes when you try to load a session-enabled page.

On Linux

If you are using Linux, you need to make sure that your /tmp directory can be written to by the user who runs the Web processes. Typically this is the user nobody, and most systems, by default, allow the nobody user to write to the /tmp directory.

The rest of the default session settings should work fine for you in the examples in this chapter.

General Considerations

You should not store the session files in any directory which is viewable from your Web server. If you are using Apache, then that would be any directory under the htdocs directory. The reason you do not want to place session files in a directory that is viewable from your Web server is because malicious users may be able to open those files and view individual session data, and even hijack user's sessions in this manner.