memcached and session

Joseph Engo dev.toaster at
Fri Jun 6 16:41:40 UTC 2008

If you don't want to use a cookie then I recommend using 1  
time tokens to pass the information.  You could use a database,  
filesystem or memcache to store the real sessionid.

There is a common problem in PHP applications accepting and trusting  
the sessionid that the client specifies.   With some clever XSS, this  
could lead to session take overs using predetermined sessionids.

On Jun 6, 2008, at 7:03 AM, Benjamin Fonze wrote:

> Hi all,
> I'm using memcached to manage the PHP sessions (among other things)  
> and it works great.
> Now, I'm trying to share a session from my main domain, to a sub- 
> domain. (without using cookies)
> I'm passing the session ID from one domain to the other, and set it  
> using session_id() however, the session is still another one, a new  
> one. (With the same session ID)
> Is it because of sessions security? Is there a way to share a  
> session between different subdomains without using cookies?
> Thanks for your help!
> Cheers,
> Benja.

More information about the memcached mailing list