Code to store PHP sessions within memcached.

Paul Dixon lordelph at
Fri Nov 17 12:04:37 UTC 2006

> PHP sessions have some security problems, mostly related to session fixation
> and such. There have also been a lot of bug- (crashes) and security-fixes
> (leaking information) to the session code, even in recent PHP versions, which
> makes me doubt the quality of the code.

I think the OP was referring to the fact you can replace PHP's session
manager with your own, and code which already works with php sessions
(i.e. with session_start() and $_SESSION[]) will work without change.

That said, the tailrank code above is not without its own security problems.

Firstly, because it doesn't use session cookies but permanent ones
which last a year, if you can discover someones session id, you are
able shared their session with them until that cookie expires or  they
clear their cookies.

Secondly, it trusts the client to provide a session id that was
actually created by the system. There's an attack vector there if a
client makes a series of requests with sequential session ids, they'll
fill memcached with junk, reducing the efficiency of the cache.

Paul Dixon |

More information about the memcached mailing list