Pros and cons of using memcached for PHP sessions

Question

Besides the drawback of when you restart memcached all sessions are lost and users logged out, what are any other drawbacks for using memcached for storing PHP sessions data instead of files. Any security concerns? Is performance better using memcached instead of standard files on disk?

Answer 1

Although, many have been able to optimize database performance through the use of Memcached it may not be the best solution for every situation.

Some of the drawbacks of Memcached:

1. Size Requirement
2. Not much Documentation support
3. Volatility (If a Memcached server instance crashes, any object data stored within the session is gone)
4. Security (There is no authentication built into Memcached).

But still Memcached is a good choice in many apps because of following reasons:

1. Memcached can compensate for insufficient ACID properties and it never blocks.
2. Memcached is cross-platform
3. Cross-DBMS
4. Its Cheap

Lets look at the brighter side!

Answer 2

Not a security concern specific to using memcached for sessions, but rather something I often come along: You absolutely must make sure that your memcached instances are either using unix sockets, or - if they're bound to a part - their port is blocked. Otherwise, people can just telnet in and view, modify and delete (session) data.

Also, as the name implies, it is a caching solution, not a storage solution. As such, if you decide to use memcached for session storage, you ought to have it either database backed or file-storage backed, so if there is a cache miss (entry deleted due to time out, manual removal, flush or because the assigned memory was full and it got pruned), it can check a more persistent type of storage before saying "nope, it isn't there".