diff --git a/functions/session.xml b/functions/session.xml
index eedbccc4b3..1f5e9b9253 100644
--- a/functions/session.xml
+++ b/functions/session.xml
@@ -184,6 +184,14 @@ To continue, <A HREF="nextpage.php?<?=SID?>">click here</A>
        handler, this is the path where the files are created.
        Defaults to <literal>/tmp</literal>.
       </simpara>
+      <warning>
+       <para>
+        If you leave this set to a world-readable directory, such as
+        <filename>/tmp</filename> (the default), other users on the
+        server may be able to hijack sessions by getting the list of
+        files in that directory.
+       </para>
+      </warning>
      </listitem>
      <listitem>
       <simpara>