memcached and session
Joseph Engo
dev.toaster at gmail.com
Fri Jun 6 16:41:40 UTC 2008
If you don't want to use a .domain.com cookie then I recommend using 1
time tokens to pass the information. You could use a database,
filesystem or memcache to store the real sessionid.
There is a common problem in PHP applications accepting and trusting
the sessionid that the client specifies. With some clever XSS, this
could lead to session take overs using predetermined sessionids.
On Jun 6, 2008, at 7:03 AM, Benjamin Fonze wrote:
> Hi all,
>
> I'm using memcached to manage the PHP sessions (among other things)
> and it works great.
>
> Now, I'm trying to share a session from my main domain, to a sub-
> domain. (without using cookies)
> I'm passing the session ID from one domain to the other, and set it
> using session_id() however, the session is still another one, a new
> one. (With the same session ID)
> Is it because of sessions security? Is there a way to share a
> session between different subdomains without using cookies?
>
> Thanks for your help!
>
> Cheers,
> Benja.
More information about the memcached
mailing list