In order to simplify life (for example when we refactor/improve security in our sesions in #12164), I'd like to propose that we remove the File Sessions Handler in Piwik, and default everyone to use the Database session handler.
By default Piwik uses the filesystem as a session handler.
A more reasonable first step would be to instead, enable database session by default in Piwik, but leave the file session handler in case it is still useful to have.
It will be great to enable DB based sessions in Matomo 3.7.0. It will improve security because currently only on Apache2 we explicitely disable opening sessions files (on IIS or Nginx session files may be possible to open via direct web access). So once we store sessions in the DB it becomes impossible to directly access the content of the sessions in the tmp/sessions/ folder by guessing (or stealing) session tokens.
On top of activating DB sessions by default, we also want to:
It is important that people use DB sessions for maximum security and ensuring session files can't be read (when accessed directly).
If it is so important, why do you keep the functionality in there?
:boom: even better! let's remove the feature of file-based sessions :tada: