memcached and session

Mikael Johansson mikael at
Fri Jun 6 17:46:32 UTC 2008


The pecl/memcache session handler doesn't use any namespacing, the key that is
sent to memcached is the same as provided by the main PHP session code, i.e. by
default a 32 byte random string (hex encoded). So the trick is as suggested to
use a cookie, set to be valid for your entire domain instead of just the specific
subdomain, this can be changed by setting session.cookie_domain in your php.ini file.


The different subdomain hosts must of course talk to the same set of memcached
servers and they must be added in the same order, i.e. the session.save_path must
be the same on both hosts.


On Fri Jun  6 19:06 , Jose Avila  sent:

>Most users will block cookies if they don't provide them with any functionality
but login cookies and session cookies usually are related to certain
functionality. I would advice not passing the session id through the url because
it could easily be hijacked. AS easy as your users hitting your site and then
going to another site the new site would get the referal url with the session id.
Unless you bind the session to an ip to add a bit more protection I would advise
against it. No back into your issue. It think the memcache extension uses a
namespace together with the sessio management so even though you are passing the
same session id its on a different namespace based on the host. I cannot prove
this for i have not seen the code but this used to be an issue i found back in
the days using eaccelerator to share values among several domains in the same
host. What i currently do to share sessions in several domain is i Use my own
session handler that uses memcache and mysql. and to pass my session to another
domain i create  a temporary token that i bind to the information on the current
session not the session itself i redirect to the new domain using that token when
hitting new domain with token i fetch information from db and recreate the
session in the new domain with a different session id. you can go either way same
session id or different session id. but dont pass it through the url pass a
unique token that once the session has been established in the new domain
invalidates the token so i cant be stolen through xss
>On Jun 6, 2008, at 8:18 AM, Benjamin Fonze wrote:Yep, I know how to do it with
cookies, works pretty good, but I realized a big percentage of users block
cookies, so I prefer not to use them.
>I do pass the session ID through the URL, but somehow, it still consider it as a
new session when jumping from one domain to the other.
>On Fri, Jun 6, 2008 at 4:50 PM, Robert Swarthout <rswarthout at> wrote:
>  The only other reliable way that I have seen used is to pass the session id
through the URL which search engines frown against. 
> On 6/6/08 10:47 AM, "Benjamin Fonze" <benjabcn at> wrote:
> Correct. Since so many users block cookies nowadays...
> On Fri, Jun 6, 2008 at 4:41 PM, Robert Swarthout <rswarthout at> wrote:
> When you say, "without using cookies" are you also implying that you do not
want to use session cookies?
> On 6/6/08 10:03 AM, "Benjamin Fonze" <benjabcn at
<> > wrote:
> Hi all,
> I'm using memcached to manage the PHP sessions (among other things) and it
works great.
> Now, I'm trying to share a session from my main domain, to a sub-domain.
(without using cookies)
> I'm passing the session ID from one domain to the other, and set it using
session_id() however, the session is still another one, a new one. (With the same
session ID)
> Is it because of sessions security? Is there a way to share a session between
different subdomains without using cookies?
> Thanks for your help!
> Cheers,
> Benja.  

More information about the memcached mailing list