Originally posted by zupanm
actually their workaround is the best solution.. Just make a dir to store the sessions and only allow the apache user to get in and read write to that dir.
I would say:
allow the apache user to only get in and read write to that dir.
The idea is that the Apache user shouldn't be able to list the contents of the directory.
However, that provided solution doesn't stop anybody on the server from getting direct and full access to other users' sessions if they get to know the sessions id.
The solution provided by 'priyadi' is better and good for solving other problems too, like everybodies ability to directly read others' PHP files containing DB passwords
sessionid's that are incorporated into the URL's (like in this forum) can be easily extracted from the httpd's logs, to solve this, you must give the httpd user ONLY WRITE ACCESS to the log files, and NO READ ACCESS.
You must also note that if you take read access to the logs away from the httpd user, you must make sure that log analizers will run in a different way, allowing them to get read access to the files.