Code to store PHP sessions within memcached.
Paul Dixon
lordelph at gmail.com
Fri Nov 17 12:04:37 UTC 2006
> PHP sessions have some security problems, mostly related to session fixation
> and such. There have also been a lot of bug- (crashes) and security-fixes
> (leaking information) to the session code, even in recent PHP versions, which
> makes me doubt the quality of the code.
I think the OP was referring to the fact you can replace PHP's session
manager with your own, and code which already works with php sessions
(i.e. with session_start() and $_SESSION[]) will work without change.
That said, the tailrank code above is not without its own security problems.
Firstly, because it doesn't use session cookies but permanent ones
which last a year, if you can discover someones session id, you are
able shared their session with them until that cookie expires or they
clear their cookies.
Secondly, it trusts the client to provide a session id that was
actually created by the system. There's an attack vector there if a
client makes a series of requests with sequential session ids, they'll
fill memcached with junk, reducing the efficiency of the cache.
Paul Dixon | blog.dixo.net
More information about the memcached
mailing list