Bug #44203: Session implementation is still racy - TYPO3.Flow - TYPO3 Forge

TYPO3 Flow Base Distribution TYPO3.Eel TYPO3.Flow TYPO3.Fluid TYPO3.Kickstart TYPO3.Welcome Packages Applications

Bug #44203

Session implementation is still racy

Added by Helmut Hummel over 2 years ago. Updated almost 2 years ago.

Status:

Needs Feedback

Start date:

2012-12-22

Priority:

Should have

Due date:

Assigned To:

Robert Lemke

% Done:

Category:

Session

Target version:

TYPO3 Flow Base Distribution - 2.0.1

PHP Version:

Complexity:

Has patch:

Affected Flow version:

Flow 2.0.0 beta 1

Description

Disclaimer: I did not test anything, but only making assumptions by reading the code. Just close this ticket if I'm mistaken.

Just want to make you aware that the session handling introduced in #43376 is racy.
The old session handling relied on the basic PHP session implementation. This is protected against concurrent requests.
Consider this simple script:

<?php
<?php
session_start();
var_dump($_SESSION);

if (!empty($_GET['test'])) $_SESSION['test'] ++;

if (!empty($_GET['sleep'])) sleep(15);

var_dump($_SESSION);

When you call it first with http://localhost/session.php?test=1&sleep=1 and in a second tab with http://localhost/session.php?test=1 The second request waits on session_start() until the first request is completed. This ensures consistent session data over multiple concurrent requests, which are quite common especially when using asynchronous Ajax calls.

PHP obviously does locking for sessions, the new session implementation of Flow does not (or the locking code is somewhere well hidden ;)

Maybe that's not a big deal (the session implementation of TYPO3 CMS is also racy as hell and still does it's job most of the time), but I wanted to let you know that this could cause troubles especially in Neos...

Related issues