Robin Elfrink wrote:
your patch is not fixing race condition
I think it does. This is what I observed (chronologically): What I did is merge existing session data with new session data, instead of overwriting.
My mistake, I've read the patch more precise now. I think it could fix some issues. One thing, rcube_sess_unset() and rcube_sess_write() are not atomic (should we use SELECT FOR UPDATE?).
php's unserialize() doesn't handle the 'name|serializeddata;othername|serializeddata;' structure.
I see now, it's needed for data merging. session_real_decode() from comments to http://php.net/manual/en/function.session-decode.php should be better.