A shared hosting environment offers interesting concerns for all parties involved with Sessions being no different. This tip is specific for PHP but the principles apply to other languages as well. 
 
Before moving on it's highly recommended to first read the following PHP manual pages (not just skim, or read parts, but actually read!):

<ul>
	<li>
	<a href="http://php.net/manual/ref.session.php" target="_blank">Reference: Sessions</a>
	</li>
	<li>
	<a href="http://php.net/manual/ref.session.php#ini.session.save-path" target="_blank">Directive: session.save_path</a>
	</li>
</ul>

<h2 id="hn_INI_Directives">INI Directives</h2>

Tips on various PHP Session related directives:

<ul>
	<li>
	By default (for ASO shared hosting environments) set to '/tmp',&nbsp;meaning session files are saved here for all users of the hosting server/computer
	</li>
	<li>
	This makes it easy/possible for other users to peek in on (steal) this session data, and hijack sessions
	</li>
</ul>

Consider setting this directive to a path like '/home/yourusername/tmp'.&nbsp;Essentially you must:

<ul>
	<li>
	Be sure the path exists (by creating it in FTP or SSH)
	</li>
	<li>
	Since session.save_path is&nbsp;PHP_INI_ALL&nbsp;it can be set either:

	<ul>
		<li>
		In the PHP script itself using&nbsp;<a href="http://php.net/session-save-path" target="_blank">session_save_path</a>() or ini_set()
		</li>
		<li>
		Or in .htaccess
		</li>
		<li>
		Or in php.ini
		</li>
	</ul>
	</li>
	<li>
	Setting to a home path also affects disk usage but typically these files are small
	</li>
</ul>

&nbsp;

PHP Sessions Overview

https://eig-cap-content-cdn-prod.s3.amazonaws.com/aso/img

https://help.asmallorange.com/index.php?/Knowledgebase/Article/GetAttachment/14/392234/Image/rteImages/