1 Topic by Ulph (edited by Ulph 2006-03-07 20:28)

  • Ulph
  • Member
  • Offline
  • Registered: 2005-02-06
  • Posts: 30

Topic: Possible race condition in check_cookie()

I have noticed that some users can get logged in twice. This causes messages from that particular user to be displayed twice.

I think the problem may be that you we do a query to get online status, check the online status and then update the database. This would cause a race condition if it isn't done atomically. Hm.. is this the case or would the begin/commit enclosing prevent that?

I am using postgresql and latest punbb.

EDIT: Hm.. after some more checking it seems like the transactions really should prevent race conditions, but I can't see how a users could get inserted twice into the online table otherwise..

Ulph's Website

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Re: Possible race condition in check_cookie()

See this topic: http://punbb.org/forums/viewtopic.php?id=8436

CodeXP's Website

3 Reply by Ulph

  • Ulph
  • Member
  • Offline
  • Registered: 2005-02-06
  • Posts: 30

Re: Possible race condition in check_cookie()

OK, thanks.

Why hasn't a fix been included in the current punbb?

If the transactions don't prevent this sort of race condition I can see where other problems easily could emerge, although not as often.

Ulph's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Possible race condition in check_cookie()

Transactions aren't used by PunBB (at least in MySQL, I can see working transaction functions in the dblayer class for pgsql but I don't know that they're used), the reason being that only MyISAM tables don't support row locking

5 Reply by Miles

  • Registered: 2005-01-28
  • Posts: 49

Re: Possible race condition in check_cookie()

What about a UNIQUE constraint on the online table on (user_id, ident)?

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: Possible race condition in check_cookie()

Ulph wrote:

OK, thanks.

Why hasn't a fix been included in the current punbb?

If the transactions don't prevent this sort of race condition I can see where other problems easily could emerge, although not as often.

Because it's very rare. It will be dealt with in the next release.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website