Are PHP sessions stored in /tmp on shared hosting safe?

I have heard that there are security problems that arise because of this. Would it be wise to use 开发者_JAVA技巧purely databases for storing PHP sessions rather than in /tmp?

They are unsafe (although the Suhosin extension can encrypt them, providing a little bit of security). You shouldn't need to switch to a database just because of this (although there are other valid reasons to do so). The easiest way is to just set session.save_path to a directory only you can access.

If session data contains sensitive pieces of information, it's unsafe to have it available to anyone you can't trust, of course.

At the same time, database is an external system that reduces overall reliability if your code depends on it, not to mention additional computational overhead as compared to using plain filesystem.

So it's not necessarily a matter of wisdom, but, as always, a matter of using the right tool for the job.

No, they can be readed by your host provider, if you're using shared hosting, if he/she wants ...