How does session.save_path secure and improve performance of your sessions?

I would like to know why do you improve security to your sessions if you change session.save_path from the default /tmp to a real directory in your home directory before public_html?

Security:

If multiple applications write their sessions in the same directory, this can potentially allow a user to manipulate the content of its session, and bypass the security of an other application.

For example, if application A relies on $_SESSION['is_admin'] to be set to true for admin users, and application B allows the user to set $_SESSION['is_admin'] to true, then the user can become admin on application A.

Setting a session.save_path different to each application avoids this problem.

If you don't control the other applications running on the same server, you should either store the sessions in a directory that's not accessible by other application, or crypt the sessions so that other applications can't read and modify them.

See this slide (starting at page 15).

The PHP suhosin patch / module can encrypt your session automatically.

Performance:

PHP has to periodically walk though all session in session.save_path in order to remove the expired sessions. Having too many session in this directory can degrade performance.

If you have a different session.save_path per application, you have less session in each session directory.