[Tickets #13231] Re: Hashtable session handler doesn't unlock on session close

noreply at bugs.horde.org noreply at bugs.horde.org
Thu May 29 18:29:12 UTC 2014


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/13231
------------------------------------------------------------------------------
  Ticket             | 13231
  Updated By         | Michael Slusarz <slusarz at horde.org>
  Summary            | Hashtable session handler doesn't unlock on session
                     | close
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Bug
  State              | Feedback
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


Michael Slusarz <slusarz at horde.org> (2014-05-29 12:29) wrote:

>> If Kronolith for some
>> reason sends 15 listEvents requests in a row, it is a reasonable
>> assumption that the 15th is the least important request.  It should
>> not, by virtue of random luck, suddenly jump to 2nd in the queue.
>
> For the sake of completeness, the earlier requests are the requests  
> that are (supposed) to take the least amount of time to complete.  
> I.e., internal calendars. The later requests are those that may take  
> a longer time, such as remote calendars.

I wonder if one compromise option is to lump all "internal" calendars  
into a single request, and all "other" calendars into a second request.

>> ... especially since I am not convinced that the use-case here is
>> what needs enhancement, not the session storage.
>
> Your earlier comment about it working that way "because that's the
> way the javascript code was written." isn't correct. It was written  
> that way because we don't want the user waiting for EVERY SINGLE  
> calendar to be loaded into memory before we send anything back to  
> the client and update the UI.

OK.  I wasn't sure how listEvents were being sent.  I agree with this  
from a UI perspective.  Aside: it would be really nice for some sort  
of PHP solution to allow for bi-directional communication regarding  
this kind of polling.  see http://wiki.horde.org/Project/H6TODO and/or  
reactphp  Obviously this isn't useful now, but something to look at in  
the future.

> This would create an unnecessary wait time for users that have,  
> e.g., any slowly responding remote calendars.

Unfortunately, the problem as it currently stands is that you can  
possibly/easily create a pretty bad DoS situation for the current user.

Say a user has 20 remote calendars defined.  (It sounds like Arjen has  
~15, so this is not an excessive number).  Worst case scenario: those  
20 remote calendars are reachable ... meaning they won't reject  
network connection attempts ... but the actual services on those  
servers don't return anything.  The connections just sit in wait states.

If you send 20 requests, and each request has to time out, this is 20  
request * 30 seconds (the default) = 10 minutes.  Some of those PHP  
requests may timeout... but from my experience you can't count on this  
- and this can also be disabled locally in php.ini.  So you've  
essentially locked the user out of accessing Horde for 10 minutes.

> IMO, it doesn't make any sense to force this extra wait time on the  
> user because one of the (not even recommended) session handlers  
> doesn't work satisfactorily.

My example is session-handler agnostic.

Seems to me a better solution, from a performance perspective, is to  
manually close the session while the remote calendars are being  
fetched.  (Even better, if the session data is unchanged in the  
listEvents call, you don't even need to reopen the session after it is  
completed.)  This is what we do in IMP when:
   * listing Mailboxes
   * building mailbox list
   * building message display data
to prevent these kind of DoS issues.





More information about the bugs mailing list