My website uses sessions for the usual malarkey - user logins, etc.

I'm on a shared server, with sessions saved in '/tmp'. I've been told that this is prone to sessions hijacking, since the whole server's session files are stored in that directory, not each domain/subdomain having its own '/tmp' directory. (The server's using Red Hat)

If they're vulnerable in here, what's the best course of action to take? I can't create directories outside my webroot (except in cgi/bin) so a custom directory is out of the question (again, unless I can use cgi/bin? doesn't seem a good idea).

I'm thinking then, of a database/cookies solution, storing a 'session' cookie on the user's computer with the value of a hashed session id, which then points to the appropriate row in a 'sessions' table in the database. Can anyone point me in the direction of a suitable session database class, incidentally?

Could anyone advise me on this? What do you gurus do about session handling (please don't say "buy a dedicated server" because I can't! :D ) I've been using the /tmp dir for nearly two years now without any problems, but have only just got round to think seriously about session security.

Thanks for any help!
Alex ...