You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Joost N <jo...@gmail.com> on 2005/07/21 14:33:01 UTC
Output leaking from one session to another?
Hello,
Yesterday morning our ISP upgraded our debian server to Apache/1.3.33
and mod_perl/1.29. Yesterday evening we got a report of a visitor who
claimed to have seen another visitor's data. Inspecting the access log
indeed shows that this visitor had clicked on hyperlinks that he
should not have been able to see, and might have captured another
user's session this way.
Our website gets hundreds of hits per minute on busy times and has
been happily running mod_perl for about 4 years now, without any
problem, so I suspect it has something to do with the upgrade earlier
that day.
Could there be a problem that the output buffer of a previous request
is not flushed completely (due to a broken connection perhaps), so
that part of the output gets sent to the next client of the same
process?
Any other ideas where to look? Any help is appreciated!
Thanks,
Joost
Re: Output leaking from one session to another?
Posted by Joost N <jo...@gmail.com>.
On 7/21/05, Perrin Harkins <pe...@elem.com> wrote:
> > Could there be a problem that the output buffer of a previous request
> > is not flushed completely (due to a broken connection perhaps), so
> > that part of the output gets sent to the next client of the same
> > process?
>
> I don't think so.
>
> This kind of thing is usually caused by a scoping bug, where something
> is getting put into a global or a closure and unintentionally used on
> consecutive requests. It could also be caused by multiple people
> getting the same session ID, depending on what you use to generate them.
You are right, I turned on 'use strict' and found a scoping bug <blush>
The upgrade was just a bad coincidence..
Sorry to have bothered you!
Joost
Re: Output leaking from one session to another?
Posted by Perrin Harkins <pe...@elem.com>.
Joost N wrote:
> Our website gets hundreds of hits per minute on busy times and has
> been happily running mod_perl for about 4 years now, without any
> problem, so I suspect it has something to do with the upgrade earlier
> that day.
It's a logical conclusion, but I doubt it. I can't think of anything
that changed between releases of 1.x that could cause this sort of bug.
I suspect the bug has been there all along but only happens in
specific circumstances.
> Could there be a problem that the output buffer of a previous request
> is not flushed completely (due to a broken connection perhaps), so
> that part of the output gets sent to the next client of the same
> process?
I don't think so.
This kind of thing is usually caused by a scoping bug, where something
is getting put into a global or a closure and unintentionally used on
consecutive requests. It could also be caused by multiple people
getting the same session ID, depending on what you use to generate them.
If you describe what you upgraded from and tell us something about how
you manage sessions, we might be able to make better guesses.
- Perrin