diff --git a/roles/webserver-legacy/php-sites/files/php.ini b/roles/webserver-legacy/php-sites/files/php.ini
--- a/roles/webserver-legacy/php-sites/files/php.ini
+++ b/roles/webserver-legacy/php-sites/files/php.ini
@@ -23,3 +23,7 @@
 
 [Pdo_mysql]
 pdo_mysql.default_socket = /var/run/mysqld/mysqld.sock
+
+[Session]
+; Don't flood /tmp (T417)
+session.save_path = "/var/tmp/php/sessions"
diff --git a/roles/webserver-legacy/php-sites/php.sls b/roles/webserver-legacy/php-sites/php.sls
--- a/roles/webserver-legacy/php-sites/php.sls
+++ b/roles/webserver-legacy/php-sites/php.sls
@@ -10,3 +10,17 @@
 {{ dirs.etc }}/php.ini:
   file.managed:
     - source: salt://roles/webserver-legacy/php-sites/files/php.ini
+
+#   -------------------------------------------------------------
+#   Session directory
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/var/tmp/php:
+  file.directory:
+    - mode: 1770
+    - group: web
+
+/var/tmp/php/sessions:
+  file.directory:
+    - mode: 1770
+    - group: web