Bug #43673
Session shutdown might keep destroyed session alive
| Status: | Resolved | Start date: | 2012-12-06 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Robert Lemke | % Done: | 100% |
|
| Category: | Session | |||
| Target version: | TYPO3 Flow Base Distribution - 2.0 beta 1 | |||
| PHP Version: | 5.3 | Complexity: | medium | |
| Has patch: | No | Affected Flow version: | Git 1.2 (master) |
Description
There's a race condition in multi-server setups regarding the session shutdown: If a session has been destroyed by a second server between start() / resume() and shutdownObject(), the shutdown method will implicitly revive the session because it writes the session entry into the storage cache without checking if the session still exists.
Associated revisions
[BUGFIX] Fix race condition in session shutdown
This protects sessions against being revived through the shutdown
method even though they were destroyed remotely in the meantime.
This patch also contains a small modification and related test to make
sure that incoming session cookies are not blindly sent back to the
user agent in the response. Instead, a clean, new session cookie with
the parameters set in Flow's settings is created.
Change-Id: I09cfd7cbdeb53bfff5345c35592bc88c0fd49fff
Resolves: #43673
Releases: 1.2
History
#1 Updated by Gerrit Code Review over 2 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/16994
#2 Updated by Gerrit Code Review over 2 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/16994
#3 Updated by Robert Lemke over 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 4dac593a462b55165f0df3a794180fee1381e4f5.