[RCD] Session handler with custom session-methods are not thread-safe.

Micha micha at bnet.at
Thu Nov 15 14:24:35 CET 2007

Hi to all.


I discovered a problem with the login, where after some logins and logouts,
every new Login-Attempt kicked me back to the login screen. Without any
mention of a problem in the logs. I searched the forum and found that some
users experienced similar problems.


After some debugging I found the weak point. The problem is, that the
sess_read and sess_write methods that are used during logout and also used
from the periodical mail checking process, are not "synchronized"
(thread-safe). So it is possible that the two events occur at the same time:


The events occur in the following order:
1. Logout calls sess_read
2. Periodical Mail Check calls sess_read
3. Logout calls sess_write (with $vars (temp|b:1))
4. Periodical Mail Check calls sess_write ($vars without temp)


Step 4 ("mail check") overwrites the Session-Parameters from Step 3
("logout"). The concrete problem in this case is the temp-Parameter. Next
login, session_start reads in the session parameter, where "temp" must be
true, to start a new session. Otherwise when ("temp" == false), roundcube
expects a valid session and tries to resume that session. (In index.php
$_SESSION['temp'] will be checked but fails.) 

The only way a new login is possible, is to reset the cookies (restart IE
and delete cookies in Firefox).


>From my point of view, the session handlers (session_start(),
session_destroy() and session_regenerate_id()) must be atomic. So the
session handler must have exclusive access to the custom session methods in



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20071115/5d47464b/attachment.html>
-------------- next part --------------
List info: http://lists.roundcube.net/dev/

More information about the Dev mailing list