I am experiencing a what looks to me like a “race condition” when 2 users (almost) simultaneously access the same page. This causes the user to gain access to another users data.
I have the generic set up for users along with the module called Users & Rights. I am storing my session data in a database table.
I have been trying to catch this issue for some months and have finally managed to do so. I am using Yii Framework 1.1.20 and the user login process is as follows:
- Sessions are stored in the database, I dont actually use $_SESSION to store user data (a field in the user table holds this information).
- PHPSESSID is stored in a cookie.
- From the login page, I store PHPSESSID from the cookie in a field of the form.
- The user logs in, input is validated, Session Data is created and stored with the user record, including the PHPSESSID from the form (the real PHPSESSID). The user is then routed through 2 more controllers (Session/LoginCheck, Dashboard/home) to land on the Dashboard.
- During a session, the user will frequently return to the dashboard.
- When 2 or more users access the dashboard page (almost) simultaneously (via login or returning from a page within the site), both users will end up with the same cookie id and session data. I can confirm this by checking the browser based cookie with the cookie value stored in the $_COOKIE variable. A simple refresh of the dashboard on the page with the incorrect data results in the correct data being loaded.
I have researched race conditions with sessions in PHP and some of these offer the use of $_COOKIE to resolve race conditions with sessions so not really providing me with any solutions to my problem.
As I am able to trap the issue, I can easily resolve it with a refresh, but if there is a more stable solution available I would prefer to go down that route.
Any advice would be greatly appreciated.