View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006599 | OXID eShop (all versions) | 4.02. Session handling | public | 2017-03-07 20:07 | 2024-04-03 11:16 |
| Reporter | Adrian.Kirchner | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 6.0.0-beta.2 | ||||
| Fixed in Version | 6.1.0 | ||||
| Summary | 0006599: race condition in order finalization when session locking is disabled | ||||
| Description | When using OXID eShop in an environment where session locking is disabled, you can experience race conditions (<= 5.3) or deadlocks (>= 6.0) when order finalization takes place and "[..]somebody klicked like mad on order button"[1]. Besides the madness, it is likely to happen when MySQL has hiccups and responds slowly while [2] is executed and the user clicks again to make sure the order is submitted. When running into this problem, the following cases occur: OXID eShop <= 5.3 The oxorder tuple gets saved twice (with the same OXID taken from sess_challenge and two order confirmation mails) but reserves two order numbers via the oxcounter mechanism thus resulting in one skipped order number. Yet even more important is, that the basket content is saved twice in oxorderarticles with the same referencing oxorder.oxid. OXID eShop >= 6.0 Although data consistency is ensured through transactions (no skipped order number, no redundant oxorderarticles tuples) it results in a deadlock exception and the user sees a blank page. ---- Non-locking sessions can be a huge performance benefit for example when using AJAX. Besides that, not all session storages have locking implemented. To name one: The Redis php extension doesn't have this feature [3] but is suggested by you [4]. A good overview of possible php session storages and their locking behaviour can be found here [5]. [1] https://github.com/OXID-eSales/oxideshop_ce/blob/12cb080af1246d3c5a23700f75e383da8dedddc9/source/Application/Model/Order.php#L491 [2] 5.3: https://github.com/OXID-eSales/oxideshop_ce/blob/f348507e5d4b6fe4b258569ffe2aa3fa1c743031/source/application/models/oxorder.php#L544 6.0: https://github.com/OXID-eSales/oxideshop_ce/blob/12cb080af1246d3c5a23700f75e383da8dedddc9/source/Application/Model/Order.php#L525 [3] https://github.com/phpredis/phpredis/issues/37 [4] https://oxidforge.org/en/session-handling-with-oxid-eshop-6-0.html [5] https://ma.ttias.be/php-session-locking-prevent-sessions-blocking-in-requests/ | ||||
| Steps To Reproduce | - Make sure your setup has session locking disabled [5] - add a sleep(10); before the save call in [2] to "simulate" bad MySQL responsiveness or just to buy you more time in the last checkout step - add one article to your basket - go through the checkout steps and click twice at "Order now" in the last checkout step | ||||
| Tags | No tags attached. | ||||
| Theme | Not defined | ||||
| Browser | Firefox, Internet Explorer, Google Chrome | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
|
|
The transaction has been removed again in https://github.com/OXID-eSales/oxideshop_ce/commit/04d6c29e35016154cd3d293678bc77e2d888bacc for the same reason. Please verify that this fixes your issue as well. |
