rack-devel archive mirror (unofficial) https://groups.google.com/group/rack-devel
 help / color / mirror / code / Atom feed
From: Neil <neil.matatall@gmail.com>
To: Rack Development <rack-devel@googlegroups.com>
Subject: Session collisions on rails 3.1rc4 (authlogic, omniauth, memcache store, passenger)
Date: Mon, 25 Jul 2011 11:22:20 -0700 (PDT)	[thread overview]
Message-ID: <f4416221-592c-4b98-af7d-f8f98170d3df@t8g2000prm.googlegroups.com> (raw)

While it's entirely possible that this issue is caused by some other
factor, but we are getting session collisions as well as an issue
where one user is getting another user's session.  This is clearly
bad, but I cannot for the life of me figure out how this could even
happen in the first place.  The code looks thread safe to me, and a
quick discussion on #ruby-lang seems to support that.

Thoughts:
1.  Session IDs are being generated in the same sequence (uses
securerandom -> openssl which does not have a static seed)
2.  Threads.  Looks good to me.
3.  Maybe memcached is returning something other than "STORED/
NOT_STORED" for @pool.add(sid, session), but the operation still
succeeded?
4.  Gnomes.

Any input is GREATLY appreciated.  Please don't say "it's an RC, what
do you expect?" :)


From https://github.com/rack/rack/blob/master/lib/rack/session/memcache.rb
      def generate_sid
        loop do
          sid = super
          break sid unless @pool.get(sid, true)
        end
      end

      def get_session(env, sid)
        with_lock(env, [nil, {}]) do
          unless sid and session = @pool.get(sid)
            sid, session = generate_sid, {}
            unless /^STORED/ =~ @pool.add(sid, session)
              raise "Session collision on '#{sid.inspect}'"
            end
          end
          [sid, session]
        end
      end

      def set_session(env, session_id, new_session, options)
        expiry = options[:expire_after]
        expiry = expiry.nil? ? 0 : expiry + 1

        with_lock(env, false) do
          @pool.set session_id, new_session, expiry
          session_id
        end
      end

             reply	other threads:[~2011-07-25 18:38 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-25 18:22 Neil [this message]
2011-07-25 20:23 ` Joshua Ballanco
2011-07-25 21:12   ` Neil Matatall
2011-07-28 19:54   ` Neil Matatall
2011-08-03 10:32     ` Joshua Ballanco
2011-08-04 23:26       ` James Tucker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://groups.google.com/group/rack-devel

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f4416221-592c-4b98-af7d-f8f98170d3df@t8g2000prm.googlegroups.com \
    --to=rack-devel@googlegroups.com \
    --subject='Re: Session collisions on rails 3.1rc4 (authlogic, omniauth, memcache store, passenger)' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/rack.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).