I'm using the great jquery-file-upload image uploader, but need to store images for different users in subfolders. I can do this either by sending the name of the folder as a $_POST arg to upload.class.php or retrieve the name as a $_SESSION arg.
Is there a preference for security?
If the folder name is to be inputted by the user, it should be in a $_POST variable with an appropriate form.
If it is a variable to be determined by the server, per user, it should be a $_SESSION variable.
There's no question of security here, there's a question of which is more appropriate for the required functionality.
I would personally use $_SESSION propogated from a DB user row.
$_POST must go over the wire where as $_SESSION does not. Also $_POST is directly modifiable from the form so a user can manipulate your form to upload to directory that is not theirs, this would not be good.
The main problem with $_POST comes from it's source, the HTML form which must be sent client side first.
The most valuable concerns would be in how you use you variables (f.ex. preventing injections).
The two have very different persistences, also. You must choose whether you want a variable to be persistent session-wise ($_SESSION) or for only the particular page/script.