1 (edited by Ulph 2006-03-07 20:28)

Topic: Possible race condition in check_cookie()

I have noticed that some users can get logged in twice. This causes messages from that particular user to be displayed twice.

I think the problem may be that you we do a query to get online status, check the online status and then update the database. This would cause a race condition if it isn't done atomically. Hm.. is this the case or would the begin/commit enclosing prevent that?

I am using postgresql and latest punbb.

EDIT: Hm.. after some more checking it seems like the transactions really should prevent race conditions, but I can't see how a users could get inserted twice into the online table otherwise..

Re: Possible race condition in check_cookie()

See this topic: http://punbb.org/forums/viewtopic.php?id=8436

3

Re: Possible race condition in check_cookie()

OK, thanks.

Why hasn't a fix been included in the current punbb?

If the transactions don't prevent this sort of race condition I can see where other problems easily could emerge, although not as often.

Re: Possible race condition in check_cookie()

Transactions aren't used by PunBB (at least in MySQL, I can see working transaction functions in the dblayer class for pgsql but I don't know that they're used), the reason being that only MyISAM tables don't support row locking

5

Re: Possible race condition in check_cookie()

What about a UNIQUE constraint on the online table on (user_id, ident)?

Re: Possible race condition in check_cookie()

Ulph wrote:

OK, thanks.

Why hasn't a fix been included in the current punbb?

If the transactions don't prevent this sort of race condition I can see where other problems easily could emerge, although not as often.

Because it's very rare. It will be dealt with in the next release.

"Programming is like sex: one mistake and you have to support it for the rest of your life."