ring

Scot 2020-01-30T02:52:46.010800Z

Hey, I noticed that ring.middleware.session is not thread-safe, and so a long-running http request could overwrite the session with stale data. Is anyone concerned about this, or do people generally write their own session implementations that deal with this?

jumar 2020-01-30T08:05:24.011100Z

Interesting, do you have more details about that?

2020-01-30T13:19:38.011500Z

In practice, session data is rarely used in a manner where this would be an issue, and not all session stores (encrypted cookies for example) can support an atomic “swap”. Where concurrency is required, it’s often better to store an identifier in the session that links to a database that supports atomic updates.

jumar 2020-01-30T14:02:57.011800Z

Any details about how exactly this could happen (possible with some code pointers)? 🙂

2020-01-30T14:05:00.012Z

Two handlers overlap and want to write at the same time. So A reads session, B reads session, B writes session, A writes session. In this case, B’s changes would be overwritten by A’s changes.

jumar 2020-01-30T14:05:53.012200Z

Ah, I see. Thanks!

2020-01-30T14:06:18.012400Z

For certain types of session store this is unavoidable, as not all stores support atomic updates.

Scot 2020-01-30T19:13:38.012600Z

Thanks for the reply. Makes sense.