From mboxrd@z Thu Jan  1 00:00:00 1970
Delivered-To: chneukirchen@gmail.com
Received: by 10.229.70.138 with SMTP id d10cs15653qcj; Mon, 25 Jul 2011
 11:38:16 -0700 (PDT)
Return-Path: <rack-devel+bncCOiF2Lu6BRCV8LbxBBoEMp1sSQ@googlegroups.com>
Received-SPF: pass (google.com: domain of
 rack-devel+bncCOiF2Lu6BRCV8LbxBBoEMp1sSQ@googlegroups.com designates
 10.236.177.74 as permitted sender) client-ip=10.236.177.74;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of
 rack-devel+bncCOiF2Lu6BRCV8LbxBBoEMp1sSQ@googlegroups.com designates
 10.236.177.74 as permitted sender)
 smtp.mail=rack-devel+bncCOiF2Lu6BRCV8LbxBBoEMp1sSQ@googlegroups.com;
 dkim=pass header.i=rack-devel+bncCOiF2Lu6BRCV8LbxBBoEMp1sSQ@googlegroups.com
Received: from mr.google.com ([10.236.177.74]) by 10.236.177.74 with SMTP id
 c50mr1784553yhm.51.1311619095863 (num_hops = 1); Mon, 25 Jul 2011 11:38:15
 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com;
 s=beta; h=x-beenthere:mime-version:date:user-agent:x-http-useragent
 :message-id:subject:from:to:x-original-sender:reply-to:precedence
 :mailing-list:list-id:x-google-group-id:list-post:list-help
 :list-archive:sender:list-subscribe:list-unsubscribe:content-type;
 bh=BWVEga06tJRI5/wtX9SuC16weyMlng49ozkFWEiK+rk=;
 b=2U8/XExYyAB9vaPcTtxwEId8Zu8iZmSEYqJ72Pf82sR0eG/pkEsG5si0HXvi3Wesrq
 fGg3JlOd2kvBgFqvyX4wNe1xjee9Ut6MJod+eQLf51K2VyNZgnmgpu0lnZGMTCY1lihh
 KPXBuVVWr5qCf41Hc5m03z7qO2F5s2rzEh2rQ=
Received: by 10.236.177.74 with SMTP id c50mr519473yhm.51.1311619093721; Mon,
 25 Jul 2011 11:38:13 -0700 (PDT)
X-BeenThere: rack-devel@googlegroups.com
Received: by 10.91.159.16 with SMTP id l16ls2002534ago.5.gmail; Mon, 25 Jul
 2011 11:38:12 -0700 (PDT)
Received: by 10.236.201.130 with SMTP id b2mr1907612yho.3.1311619092812; Mon,
 25 Jul 2011 11:38:12 -0700 (PDT)
Received: by 10.151.135.8 with SMTP id m8msybn; Mon, 25 Jul 2011 11:22:21
 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.7.4 with SMTP id 4mr1157848wfg.4.1311618140902; Mon, 25
 Jul 2011 11:22:20 -0700 (PDT)
Received: by t8g2000prm.googlegroups.com with HTTP; Mon, 25 Jul 2011 11:22:20
 -0700 (PDT)
Date: Mon, 25 Jul 2011 11:22:20 -0700 (PDT)
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0)
 AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122
 Safari/534.30,gzip(gfe)
Message-ID:
 <f4416221-592c-4b98-af7d-f8f98170d3df@t8g2000prm.googlegroups.com>
Subject: Session collisions on rails 3.1rc4 (authlogic, omniauth, memcache
 store, passenger)
From: Neil <neil.matatall@gmail.com>
To: Rack Development <rack-devel@googlegroups.com>
X-Original-Sender: neil.matatall@gmail.com
Reply-To: rack-devel@googlegroups.com
Precedence: list
Mailing-list: list rack-devel@googlegroups.com; contact
 rack-devel+owners@googlegroups.com
List-ID: <rack-devel.googlegroups.com>
X-Google-Group-Id: 486215384060
List-Post: <http://groups.google.com/group/rack-devel/post?hl=en_US>,
 <mailto:rack-devel@googlegroups.com>
List-Help: <http://groups.google.com/support/?hl=en_US>,
 <mailto:rack-devel+help@googlegroups.com>
List-Archive: <http://groups.google.com/group/rack-devel?hl=en_US>
Sender: rack-devel@googlegroups.com
List-Subscribe:
 <http://groups.google.com/group/rack-devel/subscribe?hl=en_US>,
 <mailto:rack-devel+subscribe@googlegroups.com>
List-Unsubscribe:
 <http://groups.google.com/group/rack-devel/subscribe?hl=en_US>,
 <mailto:rack-devel+unsubscribe@googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1

While it's entirely possible that this issue is caused by some other
factor, but we are getting session collisions as well as an issue
where one user is getting another user's session.  This is clearly
bad, but I cannot for the life of me figure out how this could even
happen in the first place.  The code looks thread safe to me, and a
quick discussion on #ruby-lang seems to support that.

Thoughts:
1.  Session IDs are being generated in the same sequence (uses
securerandom -> openssl which does not have a static seed)
2.  Threads.  Looks good to me.
3.  Maybe memcached is returning something other than "STORED/
NOT_STORED" for @pool.add(sid, session), but the operation still
succeeded?
4.  Gnomes.

Any input is GREATLY appreciated.  Please don't say "it's an RC, what
do you expect?" :)


>From https://github.com/rack/rack/blob/master/lib/rack/session/memcache.rb
      def generate_sid
        loop do
          sid = super
          break sid unless @pool.get(sid, true)
        end
      end

      def get_session(env, sid)
        with_lock(env, [nil, {}]) do
          unless sid and session = @pool.get(sid)
            sid, session = generate_sid, {}
            unless /^STORED/ =~ @pool.add(sid, session)
              raise "Session collision on '#{sid.inspect}'"
            end
          end
          [sid, session]
        end
      end

      def set_session(env, session_id, new_session, options)
        expiry = options[:expire_after]
        expiry = expiry.nil? ? 0 : expiry + 1

        with_lock(env, false) do
          @pool.set session_id, new_session, expiry
          session_id
        end
      end