Theres absolutely no control over session.save_path parameter in php. By setting it to every directory he wants, every user can:
1. (!!!) Absolutely easily generate new sessions with any content for every site on server. 2. Delete other users sessions by setting gc to 100 and probably legal files starting with sess_*. 3. Flood every http server writable directory with thousands or millions files. session.save_path should be controlled under open_basedir variable or some other mechanism. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
