Separate sessions directory (not /tmp) WITHOUT directory listing, on file systems with large number of inodes
There are 2 problems with php sessions1. There should be a different directory (session.save_path) for sessions which would DISALLOW directory listing. PHP session ids is not a good idea to show to all users.
2. /tmp (or otherwise) file system needs to have a much larger inode table due to session files usually being small and plentiful. If inodes run out (which it does on busy servers), websites stop working properly.