Hi,
I have altered the save path of my PHP sessions on the shared server I use from the default of /tmp to /home/*myaccount*/sessionstorage to improve security. This new folder is not under the web root. I initially CHMODed the permissions of 'sessionstorage' to allow full read, write and execute permissions to everyone (777) to check that the path is specified correctly.

Now I am trying to tighten up the security as 777 allows everyone full access which is obviously bad.
However, the only setting I can get to work (other than 777) is 773 (user: all, group: all, world: write, execute, but not read).

Most importantly, can anyone tell me if this is now secure? Have I done the right thing by storing the session files under in my file system but not under the web root?

For extra bonus kudos can anyone explain these queries? I don't understand why my PHP app needs 'world' to have any rights at all - perhaps PHP runs in the security context of the user, not the account of the PHP process itself?

If 'world' must have 'write' rights for sessions to work, why doesn't it need 'read' rights as well? Surely it will need to read the session file at some point?

Just in case I haven't bored you to death by now, here is the full list of what I tried: :p

771 doesn't work (world: execute)
773 works (world: write, execute)
775 doesn't work (world: read, execute)
776 doesn't work (world: read, write)

Thanks very much!