From: Neil <neil.matatall@gmail.com>
To: Rack Development <rack-devel@googlegroups.com>
Subject: Session collisions on rails 3.1rc4 (authlogic, omniauth, memcache store, passenger)
Date: Mon, 25 Jul 2011 11:22:20 -0700 (PDT) [thread overview]
Message-ID: <f4416221-592c-4b98-af7d-f8f98170d3df@t8g2000prm.googlegroups.com> (raw)
While it's entirely possible that this issue is caused by some other
factor, but we are getting session collisions as well as an issue
where one user is getting another user's session. This is clearly
bad, but I cannot for the life of me figure out how this could even
happen in the first place. The code looks thread safe to me, and a
quick discussion on #ruby-lang seems to support that.
Thoughts:
1. Session IDs are being generated in the same sequence (uses
securerandom -> openssl which does not have a static seed)
2. Threads. Looks good to me.
3. Maybe memcached is returning something other than "STORED/
NOT_STORED" for @pool.add(sid, session), but the operation still
succeeded?
4. Gnomes.
Any input is GREATLY appreciated. Please don't say "it's an RC, what
do you expect?" :)
From https://github.com/rack/rack/blob/master/lib/rack/session/memcache.rb
def generate_sid
loop do
sid = super
break sid unless @pool.get(sid, true)
end
end
def get_session(env, sid)
with_lock(env, [nil, {}]) do
unless sid and session = @pool.get(sid)
sid, session = generate_sid, {}
unless /^STORED/ =~ @pool.add(sid, session)
raise "Session collision on '#{sid.inspect}'"
end
end
[sid, session]
end
end
def set_session(env, session_id, new_session, options)
expiry = options[:expire_after]
expiry = expiry.nil? ? 0 : expiry + 1
with_lock(env, false) do
@pool.set session_id, new_session, expiry
session_id
end
end
next reply other threads:[~2011-07-25 18:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-25 18:22 Neil [this message]
2011-07-25 20:23 ` Session collisions on rails 3.1rc4 (authlogic, omniauth, memcache store, passenger) Joshua Ballanco
2011-07-25 21:12 ` Neil Matatall
2011-07-28 19:54 ` Neil Matatall
2011-08-03 10:32 ` Joshua Ballanco
2011-08-04 23:26 ` James Tucker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://groups.google.com/group/rack-devel
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f4416221-592c-4b98-af7d-f8f98170d3df@t8g2000prm.googlegroups.com \
--to=rack-devel@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).