Race condition in session save.
|Reported by:||tevans||Owned by:||nobody|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Using the DB backend, SessionStore.save() follows this logic:
Generate a session key by calling self._get_or_create_session_key()
_get_or_create_session_key() generates a random key, and then tests to see if it exists in the database.
Once it finds one which does not exist in the database, it returns the key.
save() then tries one time to persist the session into the database.
If this raises an IntegrityError, due to the same key being allocated to another client simultaneously, then the error is raised, and no further processing takes place.
The SessionStore.create() method avoids this situation by repeatedly attempting to persist a session, changing the session key and trying again if this fails.
This is not possible to do from outside the session class (well, you can, you have to use _non_public_apis() to do it), and so you cannot reliably save() an unsaved session object.
Change History (5)
comment:1 Changed 4 years ago by aaugustin
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Design decision needed
comment:4 Changed 3 years ago by aaugustin
- Resolution set to needsinfo
- Status changed from new to closed