Code to store PHP sessions within memcached.

Reinis Rozitis roze at
Fri Nov 17 15:48:31 UTC 2006

> I think the OP was referring to the fact you can replace PHP's session
> manager with your own, and code which already works with php sessions
> (i.e. with session_start() and $_SESSION[]) will work without change.

Indeed. You dont need to serialize() or whatever other way alter the session 
data. It's done by php itself.
Okay you can discuss how efficient it is but thats another question.

> Firstly, because it doesn't use session cookies but permanent ones
> which last a year, if you can discover someones session id, you are
> able shared their session with them until that cookie expires or  they
> clear their cookies.

Its wrong. cookies are handled from the php side (in any way you wish).

That is:
1) php checks if the user supports cookies at all.
2) Depending on the first point it sets cookie (with the php.ini settings - 
the cookie lifetime ( I preffer that cookie remains until active browser 
session) / the domain and latest is a nice feature http_only cookies (no 
crossite JS)) or rewrites all the links inside page apending sessionid
3) Relying just on unique session id is wrong.
Thats why you write in session data also users IP and maybe some extra hash 
(from browser version or whatever comes in your mind). That way besides 
stealing the session ID you need also the same IP (okay possible with 
proxies (but also another discussion)) and the same browser version (or 
whatever that hash comes from).

> Secondly, it trusts the client to provide a session id that was
> actually created by the system. There's an attack vector there if a
> client makes a series of requests with sequential session ids, they'll
> fill memcached with junk, reducing the efficiency of the cache.

They wont. And let me explain why. If you request page and give some certain 
or just generate random session id NO new data would be stored in memcache. 
php only tries to fetch data from the server. If you are lucky you could be 
able to guess few ;) Still according to some security measures the session 
will be useless to you and wont be altered.
The only way new item is stored in MC is to open the session page for the 
first time or with expired session that is when the session and ID is 
regenerated. But thats the webservers part to take evasive precaution not to 
allow too much (bad) requests from single user.

I dont talk here about payment systems where the session is crucial , but on 
some common webproject site where you need sessions on bunch of servers it 
works like a charm .. at least for us.

But hey is this a PHP list? :)


More information about the memcached mailing list