This project is archived and is in readonly mode.

#2174 ✓stale
Pawel

No way to flush session data to session store immidiately enables race conditions to occur

Reported by Pawel | March 8th, 2009 @ 11:34 PM | in 3.x

Following code demonstrates race condition in session handling:


def action_that_should_be_called_only_once_per_session
  my_custom_lock_for_current_session do
    # Critical section
    @account.total_cash += session[:income]
    session.delete :income
  end
  # Race condition window from now to the moment when the session is stored.
  # User can refresh the page and increase @account.total_cash.
end

There should be a way to forcefully save session data to session store (with the obvious exception of cookie store). This way, calling (let's say) store_session() from within critical section will prevent above vulnerability.

In PHP there is session_write_close() which does similiar thing as described.

Comments and changes to this ticket

  • foospam (at o2)

    foospam (at o2) March 15th, 2009 @ 08:11 PM

    "I wonder why this ticket is not marked with security tag. This is an old problem with Rails and it should be fixed, but as now Rails handles sessions thru Rack I don't know where it belongs - to Rails or to Rack?"

  • Jeremy Kemper

    Jeremy Kemper May 4th, 2010 @ 06:48 PM

    • Milestone changed from 2.x to 3.x
  • David Trasbo

    David Trasbo August 1st, 2010 @ 06:39 PM

    • Importance changed from “” to “”

    The Memcache and cookie stores exists in Rack, ActiveRecord::SessionStore still lives inside Rails. Rails still implements an AbstractStore class, though, that it uses for the Active Record store. I don't know if Rails magically makes the two session stores that lives in Rack inherit from that class, or something. Maybe it has to fixed both in Rails and Rack.

  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:34 PM

    • State changed from “new” to “open”

    This issue has been automatically marked as stale because it has not been commented on for at least three months.

    The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

    Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.

  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:34 PM

    • State changed from “open” to “stale”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Referenced by

Pages