[Catalyst] Session duplicate key constraints on concurrent requests

Janne Snabb snabb at epipe.com
Fri Oct 7 16:59:06 GMT 2011

On Fri, 7 Oct 2011, Erik Wasser wrote:

> How will the session key calculated? Any idea? Randomly? So two random 
> processes will calculate the same session value?

It is still the same session cookie as before, but it has already
expired from the database? Thus both sessions try to re-insert it
simultaneously which leads to failure?

As long as both application instances are talking to the same DB
server (thus you do not use "random" as the distribution method in
your load balancer, but base it on IP or something) "serializable"
transaction solves this. If you have replication and you are
replicating the state tables... you might end up with broken
replication (if the collision happens in replication). I am quite
sure many other web applications are vulnerable to this as well.

I think the proper way to solve it is to drop the constraint on the
cookie and just insert the cookie and have an auto_increment ID in
the table. And when reading, select the cookie with the highest ID
(because there might be several).

Janne Snabb / EPIPE Communications
snabb at epipe.com - http://epipe.com/

More information about the Catalyst mailing list