The $_SESSION array isn't request-safe. When multiple requests made by the same user with the same session(like multiple paralell AJAX calls), sessions tend to overwrite each other.

One possible scenario where I diagnosed the problem, is when I tried to write a file upload progress monitoring module and while the file upload progressed, asynchronous AJAX calls requested the upload status from the server.

1. How to reproduce:
I attached two files which has to be placed to the drupal root in order to work. One (ajax-session.php) shows a scenario when standard PHP session storage is user and the other (ajax-session-drupal.php) fully bootstraps Drupal to use it's session handling. The first case shows exclusive session handling, which is the expected behaviour, the second (Drupal bootstrapped) shows the problematic behaviour, when multiple requests overwrites the users session.

2. What behaviour was expected:
The second case sould show the same results as the first case.

3. What happened instead:
Users session get overwritten all the time.

Ps.: I tested the drupal-4-7, drupal-5 and drupal-head branches. All of them provide this misbehaviour.

CommentFileSizeAuthor
drupal-session-bug.tar_.gz874 bytesmtolmacs

Comments

yched’s picture

yched commented

True - that's the reason why $_SESSION was avoided when working on the batch API, in favor of dedicated db storage.

mtolmacs’s picture

mtolmacs commented

I see. But based on the principle to use the proper tool for the given job $_SESSION can't be neglected. I think managing the consistency of the session over paralell requests isn't the Drupal programmers task. Drupal should provide this functionality.

If it is a bug then my only concern with creating a patch to fix this is the correct method to achieve the desired result. My first idea was to lock the row of the sessions table which contains the given users serialized session at session open and release it at session close. Does this idea holds any drawbacks?

dopry’s picture

dopry commented
Priority: Critical » Normal
Status: Active » Postponed (maintainer needs more info)

I'm not sure that this is critical or a bug. You should be careful not to overwrite important session variables in your js callbacks. If you need access to the drupal session, you should boot strap drupal to the session. There is a reason that bootstrap phase exists. You should not be using sessions in drupal without bootstrapping to DRUPAL_BOOTSTRAP_SESSION, unless you know what you're doing. Can you explain more thoroughly why you believe this to be a critical bug?

dopry’s picture

dopry commented

I did some more experimenting with you code. Basically your AJAX requests are coming in too quickly for the db reads and writes to occurs. Especially with the random sleep in the php. If you set a timeout on your ajax_call function like:

setTimeout('ajax_call('+i+')', 500 * i);

The issue doesn't occur if you set a small delay between ajax calls to the server. A timeout as short as 150ms seems to be effective.

ShutterFreak’s picture

ShutterFreak commented

Subscribing to this issue.

dharamgollapudi’s picture

dharamgollapudi commented

subscribing...

nschindler’s picture

nschindler commented

subscribing

mtolmacs’s picture

mtolmacs commented

Sorry for the late reply. I see your point in this, but your idea does not stand on a very stable basis. What if my DB servers are so heavily loaded that 150ms won't be enough. Yes, I can increase the value. But there is a limit that will be unacceptable, especially when my DB servers _can_ push the data faster under lighter loads than, say, your 150ms.

I specifically meant with this report a comet like scenario. 150ms delay is just not acceptable.

I still hold that this is a race condition in the session implementation and this is why it is critical.

andrewfn’s picture

andrewfn commented

This problem is constantly coming up all over the place. For example: http://drupal.org/node/162036 and http://drupal.org/node/61175 and I have just seen it in the CCK image field queue: http://drupal.org/node/174638
I spoke to Nate Haug at Lullabot who has reworked much of the JavaScript in Drupal 6 and he thinks the problem has gone away in the new version. Can anyone confirm this?

mtolmacs’s picture

mtolmacs commented

Will test it during this week with HEAD. Thank you!

matt_paz’s picture

matt_paz commented

subscribing

dpearcefl’s picture

dpearcefl commented

Is this an issue with the latest Drupal?

Anonymous’s picture

Anonymous (not verified) commented
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

No response from OP, closing.

renuka_udavant’s picture

renuka_udavant commented
Issue summary: View changes

Hi.

I use session in my 1st AJAX call after getting response call 2nd AJAX session not working on 2nd AJAX.

kindly please help me to resolve this.