-
Bug
-
Resolution: Fixed
-
Major
-
2.7.13, 2.8.11, 2.9.5, 3.0.3
-
Any
-
MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE
-
MOODLE_29_STABLE, MOODLE_30_STABLE
-
Sessions using memcached for persistence become corrupted after a long running page request is followed up by a second request, such as an AJAX request from the filepicker. If user refreshes the page before the original request is completed, session state is lost, including authentication information. This then is sometimes compounded when using SSO (Shibboleth) authentication, and an authentication redirection loop occurs--though I've not been able to find the particular conditions (beyond the lost session) to reproduce this on demand.
lib/classes/session/manager.php, line 77, the start() method, the boolean value returned from the handler's start method is ignored. Due to another bug, https://bugs.php.net/bug.php?id=71962, in php-memcached, when session_start is called, and the session key lock is already present, php-memcached will get the "value not stored" response, and reattempt until the configured timeout has expired (120 seconds). It then returns true, and presents an empty $_SESSION array, and still is referencing the same session key value, despite it having failed to legitimately acquire the lock.
Because the USER element is now missing, when the initialise_user_session is called, the corresponding DB record for the original session will be removed (line 364), after a new session id is generated.
Now, if the user attempts to refresh the page before the long-running operation has completed, or anything occurs before the original page request has an opportunity to call session_write_close, thus re-establishing the session state, then the original session state is lost--but even then, because the DB record was deleted by an AJAX request, on the next page request, the original session record will not be found and the original session will be discarded.
- has a non-specific relationship to
-
MDL-44947 FilePicker AJAX (server files repository) causing session locking on large installation w/ Database sessions.
- Open
-
MDL-41065 On session timeout, filepicker ajax script should redirect to login page.
- Closed
-
MDL-30026 Prevent session lock waits from stalling server processes forever
- Closed
- has been marked as being related by
-
MDL-57477 PHP 7 sessions using memcached (3.x.x) : MDL-53947 causes regression (from MDL-53713)
- Closed
-
MDL-53019 Decide Moodle 3.2 requirements and push them to environment.xml (due date: 13/06/2016)
- Closed
- will be (partly) resolved by
-
MDL-54041 Test other session handlers than the file one
- Closed