rack-devel archive mirror (unofficial) https://groups.google.com/group/rack-devel
 help / color / mirror / code / Atom feed
* Session collisions on rails 3.1rc4 (authlogic, omniauth, memcache store, passenger)
@ 2011-07-25 18:22 Neil
  2011-07-25 20:23 ` Joshua Ballanco
  0 siblings, 1 reply; 6+ messages in thread
From: Neil @ 2011-07-25 18:22 UTC (permalink / raw)
  To: Rack Development

While it's entirely possible that this issue is caused by some other
factor, but we are getting session collisions as well as an issue
where one user is getting another user's session.  This is clearly
bad, but I cannot for the life of me figure out how this could even
happen in the first place.  The code looks thread safe to me, and a
quick discussion on #ruby-lang seems to support that.

1.  Session IDs are being generated in the same sequence (uses
securerandom -> openssl which does not have a static seed)
2.  Threads.  Looks good to me.
3.  Maybe memcached is returning something other than "STORED/
NOT_STORED" for @pool.add(sid, session), but the operation still
4.  Gnomes.

Any input is GREATLY appreciated.  Please don't say "it's an RC, what
do you expect?" :)

From https://github.com/rack/rack/blob/master/lib/rack/session/memcache.rb
      def generate_sid
        loop do
          sid = super
          break sid unless @pool.get(sid, true)

      def get_session(env, sid)
        with_lock(env, [nil, {}]) do
          unless sid and session = @pool.get(sid)
            sid, session = generate_sid, {}
            unless /^STORED/ =~ @pool.add(sid, session)
              raise "Session collision on '#{sid.inspect}'"
          [sid, session]

      def set_session(env, session_id, new_session, options)
        expiry = options[:expire_after]
        expiry = expiry.nil? ? 0 : expiry + 1

        with_lock(env, false) do
          @pool.set session_id, new_session, expiry

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2011-08-04 23:26 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-07-25 18:22 Session collisions on rails 3.1rc4 (authlogic, omniauth, memcache store, passenger) Neil
2011-07-25 20:23 ` Joshua Ballanco
2011-07-25 21:12   ` Neil Matatall
2011-07-28 19:54   ` Neil Matatall
2011-08-03 10:32     ` Joshua Ballanco
2011-08-04 23:26       ` James Tucker

Code repositories for project(s) associated with this public inbox


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).