PHP sessions and uploads are now stored in a private directory
PHP sessions and uploads used to be stored in a shared directory, /tmp. Although files were not readable by other users, filenames could be listed, which could help malicious users to hijack sessions.
Those files are now stored in a private directory, ~/admin/tmp, which prevents other users from even listing them. This change is transparent, but please ensure you don't override session.save_path in your php.ini to store sessions in a shared directory.
24 oct. 2018