Introduction

PHP session files can quietly fill a shared hosting account when the application stores sessions in the default temporary directory and old session data is not being cleaned up. Once that directory grows too large, the account can hit disk or inode limits, and logins, carts, admin sessions, uploads, or other write operations may start failing. On shared hosting, the practical fix is to confirm where PHP is writing sessions, clear only stale session files, and make sure future sessions expire and clean up correctly.

Symptoms

  • The hosting panel shows unexpected growth in the TMP, temp, or /tmp area
  • Login sessions work inconsistently, or users are logged out and back in repeatedly
  • The site starts showing disk quota, inode, or write failure warnings
  • File Manager reveals large numbers of session files, often named with a sess_ prefix
  • The problem gets worse during traffic spikes or after a plugin, CMS, or PHP version change

Common Causes

  • PHP is writing session files to a shared temporary directory with no effective cleanup
  • session.save_path points to a writable folder, but old session files are not being removed
  • Session garbage collection settings are too weak for the site’s traffic pattern
  • The application creates many sessions for anonymous visitors, carts, or bots
  • A plugin, custom code, or hosting migration changed session handling without updating cleanup behavior

Step-by-Step Fix

  1. Confirm that the growth is actually coming from PHP session files by checking the TMP or temporary directory in the hosting File Manager and looking for large numbers of files named with a sess_ prefix.
  2. Verify the active PHP session storage path in your hosting control panel, PHP configuration view, or a temporary PHP info page so you know whether the site is using the default temp directory or a custom session.save_path.
  3. Check whether the affected directory is shared by multiple applications on the same hosting account, because deleting the wrong files in a shared temp location can break other sites or user sessions.
  4. Review the age of the session files and remove only clearly stale session files that are older than the expected session lifetime, using the hosting panel or File Manager rather than deleting the entire temp directory.
  5. If your hosting control panel allows custom PHP settings, set session.save_path to a dedicated writable folder inside the account so your application’s sessions are isolated from other temporary files.
  6. Reduce session retention to a practical value by reviewing settings such as session.gc_maxlifetime, because very long session lifetimes can keep old session files around far longer than the site actually needs.
  7. Make sure session cleanup can actually run by checking that PHP session garbage collection is enabled and that the session directory is writable by PHP, since stale files will accumulate if PHP cannot remove expired sessions.
  8. Review the application for avoidable session creation, especially shopping carts, preview tools, security plugins, or custom code that starts sessions for every visitor, because unnecessary session creation multiplies the number of files in shared hosting environments.
  9. Monitor the session directory after the change over at least one normal traffic cycle and confirm that new sess_ files are being created and old ones are disappearing at a steady rate instead of growing without limit.