View Issue Details

IDProjectCategoryView StatusLast Update
0006599OXID eShop (all versions)4.02. Session handlingpublic2024-04-03 11:16
ReporterAdrian.Kirchner Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version6.0.0-beta.2 
Fixed in Version6.1.0 
Summary0006599: race condition in order finalization when session locking is disabled
DescriptionWhen using OXID eShop in an environment where session locking is disabled, you can experience race conditions (<= 5.3) or deadlocks (>= 6.0) when order finalization takes place and "[..]somebody klicked like mad on order button"[1]. Besides the madness, it is likely to happen when MySQL has hiccups and responds slowly while [2] is executed and the user clicks again to make sure the order is submitted.

When running into this problem, the following cases occur:

OXID eShop <= 5.3
The oxorder tuple gets saved twice (with the same OXID taken from sess_challenge and two order confirmation mails) but reserves two order numbers via the oxcounter mechanism thus resulting in one skipped order number. Yet even more important is, that the basket content is saved twice in oxorderarticles with the same referencing oxorder.oxid.

OXID eShop >= 6.0
Although data consistency is ensured through transactions (no skipped order number, no redundant oxorderarticles tuples) it results in a deadlock exception and the user sees a blank page.

----

Non-locking sessions can be a huge performance benefit for example when using AJAX. Besides that, not all session storages have locking implemented. To name one: The Redis php extension doesn't have this feature [3] but is suggested by you [4].
A good overview of possible php session storages and their locking behaviour can be found here [5].


[1] https://github.com/OXID-eSales/oxideshop_ce/blob/12cb080af1246d3c5a23700f75e383da8dedddc9/source/Application/Model/Order.php#L491

[2]
5.3: https://github.com/OXID-eSales/oxideshop_ce/blob/f348507e5d4b6fe4b258569ffe2aa3fa1c743031/source/application/models/oxorder.php#L544
6.0: https://github.com/OXID-eSales/oxideshop_ce/blob/12cb080af1246d3c5a23700f75e383da8dedddc9/source/Application/Model/Order.php#L525

[3] https://github.com/phpredis/phpredis/issues/37

[4] https://oxidforge.org/en/session-handling-with-oxid-eshop-6-0.html

[5] https://ma.ttias.be/php-session-locking-prevent-sessions-blocking-in-requests/
Steps To Reproduce- Make sure your setup has session locking disabled [5]
- add a sleep(10); before the save call in [2] to "simulate" bad MySQL responsiveness or just to buy you more time in the last checkout step
- add one article to your basket
- go through the checkout steps and click twice at "Order now" in the last checkout step
TagsNo tags attached.
ThemeNot defined
BrowserFirefox, Internet Explorer, Google Chrome
PHP VersionNot defined
Database VersionNot defined

Activities

SvenBrunk

2024-04-03 11:16

administrator   ~0016703

The transaction has been removed again in https://github.com/OXID-eSales/oxideshop_ce/commit/04d6c29e35016154cd3d293678bc77e2d888bacc for the same reason.
Please verify that this fixes your issue as well.