Take a look at this: http://us2.php.net/manual/en/function.session-save-path.php Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com k bah wrote: > Hi, > > I noticed session files are kept on /tmp for a while, and even if they were immediately deleted, well, someone could use one of my php scripts to inject code and read them, since they belong to the httpd user. > What's the best way to receive passwords thru a form and store them in the $_SESSION while I process other information to decide whether or not that user is able to proceed and login (check to see if user is also allowed to use that service, not just validate user/pw)? I use https, always, no plain http is used. > > Thanks > > = > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php