0

Under what conditions can the session be corrupted? By default the app engine uses MemcacheSessionHandler to save sessions and google even warns that it can be corrupted. From what I understand it can be corrupted if multiple requests are handled at the same time? So if I make 3 rest calls can these overwrite the session for each other?

The specific problem I'm having is with a CSRF check for Facebook Account-Kit. The CSRF tokens are saved in the sessions but the order doesn't seem to matter or they are corrupted somehow. Example:

  1. Generate CSRF 'ABC' and save in session by navigating to the site.
  2. Generate CSRF 'DEF' and save in session by clicking a link that takes you to another page to log in.
  3. Click login and send CSRF 'DEF' but the one in the session is 'ABC' so the call will fail.

How can that happen? There are even many seconds(~20) in between each call. And I've checked that the session id is the same for all requests. To make it worse this doesn't happen every time either.

Elon Mallin
  • 345
  • 4
  • 12
  • What Google warns about means (from what I understand) that MemcacheSessionHandler is not thread safe. What you're describing is not a symptom of that so you'd need to explain what you're doing in more detail, in particular step 2 seems like it is not doing what you claim it is doing . – apokryfos Mar 23 '17 at 10:53
  • @apokryfos I've implemented my own MemcacheAndMySqlSessionHandler as a wrapper to be able to place logs in all functions of the SessionHandlerInterface and to try and make more long-lived sessions. So I can see that the session ID of all my calls are the same and I can see what is written and read to the session. When I look in the app engine logs I see just what I wrote there. 1) Save 'ABC' to session. 2) Save 'DEF' to session. 3) Mismatch 'ABC' != 'DEF', saving 'ABC' (saving happens when a request terminates). Any help you can think of is appreciated, thanks. – Elon Mallin Mar 23 '17 at 11:05
  • I found another call in the logs that happened after but almost simultaneously as step 2. So it seems that both read in the same session data. But the call I found now saves the session last so it will overwrite whatever was written in step 2. – Elon Mallin Mar 23 '17 at 11:14
  • Maybe include a Url in your logs. As a personal experience with Laravel, I was using it to serve a JS file (with some PHP code compiled in it) but that also loaded the session and removed any flashed data. That meant that whenever I was viewing a page which was including that file some session data was mysteriously disappearing. Frameworks usually load the session on each request (even AJAX requests) which may have unintended consequences if you don't expect it. – apokryfos Mar 23 '17 at 11:40

0 Answers0