Bug #43673

Session shutdown might keep destroyed session alive

Added by Robert Lemke over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Should have
Assignee:
Category:
Session
Start date:
2012-12-06
Due date:
% Done:

100%

PHP Version:
5.3
Has patch:
No
Complexity:
medium

Description

There's a race condition in multi-server setups regarding the session shutdown: If a session has been destroyed by a second server between start() / resume() and shutdownObject(), the shutdown method will implicitly revive the session because it writes the session entry into the storage cache without checking if the session still exists.

Associated revisions

Revision 4dac593a (diff)
Added by Robert Lemke over 6 years ago

[BUGFIX] Fix race condition in session shutdown

This protects sessions against being revived through the shutdown
method even though they were destroyed remotely in the meantime.

This patch also contains a small modification and related test to make
sure that incoming session cookies are not blindly sent back to the
user agent in the response. Instead, a clean, new session cookie with
the parameters set in Flow's settings is created.

Change-Id: I09cfd7cbdeb53bfff5345c35592bc88c0fd49fff
Resolves: #43673
Releases: 1.2

History

#1 Updated by Gerrit Code Review over 6 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/16994

#2 Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/16994

#3 Updated by Robert Lemke over 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF