Fork me on GitHub
#ring
<
2020-01-30
>
Scot02:01:46

Hey, I noticed that ring.middleware.session is not thread-safe, and so a long-running http request could overwrite the session with stale data. Is anyone concerned about this, or do people generally write their own session implementations that deal with this?

jumar08:01:24

Interesting, do you have more details about that?

weavejester13:01:38

In practice, session data is rarely used in a manner where this would be an issue, and not all session stores (encrypted cookies for example) can support an atomic “swap”. Where concurrency is required, it’s often better to store an identifier in the session that links to a database that supports atomic updates.

jumar14:01:57

Any details about how exactly this could happen (possible with some code pointers)? 🙂

weavejester14:01:00

Two handlers overlap and want to write at the same time. So A reads session, B reads session, B writes session, A writes session. In this case, B’s changes would be overwritten by A’s changes.

jumar14:01:53

Ah, I see. Thanks!

weavejester14:01:18

For certain types of session store this is unavoidable, as not all stores support atomic updates.

Scot19:01:38

Thanks for the reply. Makes sense.