[Tickets #7712] Memcache Session handler, shouldn't unlock if no data in memcache
bugs at horde.org
bugs at horde.org
Thu Nov 20 16:54:44 UTC 2008
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/7712
------------------------------------------------------------------------------
Ticket | 7712
Created By | urkle at outoforder.cc
Summary | Memcache Session handler, shouldn't unlock if no data
| in memcache
Queue | Horde Framework Packages
Version | HEAD
Type | Bug
State | Unconfirmed
Priority | 1. Low
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
urkle at outoforder.cc (2008-11-20 11:54) wrote:
From looking through the current memcache session handler in CVS HEAD
(and the FW 3 Branch), it seems that there is a locking issue that can
occur on new sessions.
In the code you
1) create a lock
2) try and read the data from memcache. (in case of a new session this
will be nothing)
3) if there is no data then you release the lock
.... Later on page close
1) write the data (creating a new session)
2) release lock if set.
Now, the issue is if two requests happen to occur around the same time
when there is no session data (ie.. expired) then there is a high
probability that they will overwrite each other.
Example
Req 1> New Request
Req 1> Fetch Session (no data, expired, release lock)
Req 2> New Request
Req 2> Fetch Session (No data, expired, release lock)
Req 2> Processing
Req 2> Store Session
Req 2> End Request
Req 1> Store Session
Req 1> End Request
Because there is no lock, Req 1 overwrites Req 2s data (and Req 2 is
allowed to actually run even though it should have waited for Req 1).
The worse case is this, (ie login scenario)
R 1> New Request
R 1> Fetch Session (no data, expired, release lock)
R 1> Login attempt
R 2> Nww Request
R 2> Fetch Session (no data, expired, release lock)
R 1> Process Login
R 2> Do something else
R 1> Store Session
R 1> End Request
R 2> Store Session (Overwriting Requests 1's login session)
R 2> End Request
This results in the users session being overwritten by another request
that user pushed through and thus, they are not logged in.
The solution would be to *NOT* release the lock if there is no
session, because we ARE going to be writing at the end of the request.
More information about the bugs
mailing list