Database session handlers have concurrency issues

[david]

Typical concurrency problems, since they won't obtain an exclusive lock over the session as the normal PHP file based session handler does.

Infos:

• http://thwartedefforts.org/2006/11/11/race-conditions-with-ajax-and-php-sessions/
• http://www.mysqlperformanceblog.com/2007/03/27/php-sessions-files-vs-database-based/
• http://www.chipmunkninja.com/Troubles-with-Asynchronous-Ajax-Requests-g@
• http://www.sitepoint.com/blogs/2006/02/27/ajax-and-session-race-conditions/

[david]

We can attempt to fix it for all storage drivers and, in case of PDO, for all databases, or we provide callbacks for locking similar to those the execution filter has now and people can implement their locking mechanisms in userland (think MySQL InnoDB vs MyISAM - nightmarish)

[jake]

David,

while I believe this is an issue, I don't believe it's the one I experienced and described on IRC. The page I was loading had no AJAX component on it. It was an HTML only page, and I still received this error. So, while I think this fix is probably required, it probably isn't going to fix the issue I found. If I can do something to make the troubleshooting process easier, please let me know.

-Blake

[mailing_lists@…]

You can have the same problem with pages without ajax components. You just need to have a second component that accesses the session - we could trigger that problem with images that are accessed via php (so we can enforce user rights checking etc). The image takes the place of the ajax component in that case.

[david]

Yeah, or just people opening several tabs at the same time.

In a nutshell, the approach we're taking is providing people with hooks they can use to implement their own locking. Lets maybe discuss this over the weekend in more detail

[david]

I'm moving this to 1.0 as it seems to be a little bit non-trivial to fix; waiting for mark and jake to tackle it

[david]

we might want to consider moving this to milestone:1.1, see #661 and wiki:Cleanup/Storage

[david]

moving to 1.1 for now, can always move it back for inclusion in a 1.0.x release, but given how we need to re-build all "storages" anyway, it would mean doing the work twice...