Race condition between session deletion and reading

[thorsteneckel]

Hi maintainers,

We over at Zammad have a race condition between session deletion and updating.
Zammad is a SPA with a websocket server which informs the frontend about new data to fetch. It happens (a lot in our CI env) that one of these data fetch requests is performed at the same time the user logs out. This leads to a race condition between reading and deletion of the session. I managed to get it fixed by wrapping the actual deletion in a model.with_lock block.
This leads me to my question: While preparing a pull request for this I noticed that an own session class implementation is possible while running the tests. How should I proceed from here?

OT but probably interesting:
While investigating this I noticed that the delete_session uses the get_session_model method which creates a new instance if no existing is found only to destroy it afterwards. Using @@session_class.find_by_session_id(id) instead (which is get_session_model doing too) works fine in our env and avoids the overhead. I'd love to contribute a PR if you give me green light 👌

Looking forward for your feedback. Cheers.

[sikachu]

I'm sorry, but I'm not sure if I understand your first question. Do you mind showing us what you mean?

For OT: Yeah, I think that would be a great improvement.

[thorsteneckel]

Sorry for the noise. It seems like the race condition was actually caused by using session.clear instead of reset_session. We were running the tests several times in our CI env with this change and it no longer occurred. Closing now.