keep track of old session id to handle race condition #1713

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
3 participants

Handle session rotation race condition in a different way than the is_ajax_request check that is currently done. That check is still used as a fallback, but this way allows us to handle multiple requests to the server even if they are not ajax requests.

The major drawback is that it requires a new field to be added to the session table.

(same issue as EllisLab#1283)

Contributor

dchill42 commented Sep 4, 2012

This issue is being discussed in #1746. You have an interesting solution, but I think it may not fully solve the problem at hand. I'd love to have your input in the other thread.

Also, the code your request proposes to change just got moved into a driver and slightly rearranged with the merge of #353.

Contributor

narfbg commented Nov 20, 2012

This beats the whole purpose behind regenerating the session ID - pointless. Any fixes for the problem should involve locking, not hacks around already established security measures.

narfbg closed this Nov 20, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment