I'm just starting to play with sessions; one thing I'd like to do is to track known users and log how often they visit, which will involve reading a file of uname/passwords, and alos writing to another file for the log.

My question is whether it's considered bad practise to use the same /tmp directory for these files, or whether I should use a different directory. By the same token - is it necessary to keep the users file in a folder above root, or is a public folder with a blank index file considered safe enough?

Well, I dont know about the /tmp dir, I personally would keep this for sessions.

I do however think that it would be best to keep information about users in a directory behind root. It is a little safer, and also, it is not like there is any more work involved.

Thats my opinion anyways :D

The /tmp directory is often poorly configured on shared hosts in a way that every user has read access to it, so that PHP can read session files from it. I would not advise to store this somewhat sensitive data in the /tmp dir, it's a bad place to store permanent things anyway. Create your own directory above the web root as told by missing-score.

Allright - thanks for the confirmation.