View Issue Details

IDProjectCategoryView StatusLast Update
0006599OXID eShop (all versions)4.02. Session handlingpublic2017-03-17 17:53
ReporterAdrian.Kirchner 
PrioritynormalSeveritymajorReproducibilityalways
Status acknowledgedResolutionopen 
Product Version6.0.0-beta.2 
Target VersionFixed in Version 
Summary0006599: race condition in order finalization when session locking is disabled
DescriptionWhen using OXID eShop in an environment where session locking is disabled, you can experience race conditions (<= 5.3) or deadlocks (>= 6.0) when order finalization takes place and "[..]somebody klicked like mad on order button"[1]. Besides the madness, it is likely to happen when MySQL has hiccups and responds slowly while [2] is executed and the user clicks again to make sure the order is submitted.

When running into this problem, the following cases occur:

OXID eShop <= 5.3
The oxorder tuple gets saved twice (with the same OXID taken from sess_challenge and two order confirmation mails) but reserves two order numbers via the oxcounter mechanism thus resulting in one skipped order number. Yet even more important is, that the basket content is saved twice in oxorderarticles with the same referencing oxorder.oxid.

OXID eShop >= 6.0
Although data consistency is ensured through transactions (no skipped order number, no redundant oxorderarticles tuples) it results in a deadlock exception and the user sees a blank page.

----

Non-locking sessions can be a huge performance benefit for example when using AJAX. Besides that, not all session storages have locking implemented. To name one: The Redis php extension doesn't have this feature [3] but is suggested by you [4].
A good overview of possible php session storages and their locking behaviour can be found here [5].


[1] https://github.com/OXID-eSales/oxideshop_ce/blob/12cb080af1246d3c5a23700f75e383da8dedddc9/source/Application/Model/Order.php#L491

[2]
5.3: https://github.com/OXID-eSales/oxideshop_ce/blob/f348507e5d4b6fe4b258569ffe2aa3fa1c743031/source/application/models/oxorder.php#L544
6.0: https://github.com/OXID-eSales/oxideshop_ce/blob/12cb080af1246d3c5a23700f75e383da8dedddc9/source/Application/Model/Order.php#L525

[3] https://github.com/phpredis/phpredis/issues/37

[4] https://oxidforge.org/en/session-handling-with-oxid-eshop-6-0.html

[5] https://ma.ttias.be/php-session-locking-prevent-sessions-blocking-in-requests/
Steps To Reproduce- Make sure your setup has session locking disabled [5]
- add a sleep(10); before the save call in [2] to "simulate" bad MySQL responsiveness or just to buy you more time in the last checkout step
- add one article to your basket
- go through the checkout steps and click twice at "Order now" in the last checkout step
TagsNo tags attached.
ThemeNot defined
BrowserFirefox, Internet Explorer, Google Chrome
PHP Version5.6
MySQL Version5.5

Activities

There are no notes attached to this issue.