On Tue, Oct 07, 2025 at 10:45:27AM +0100, Joe Orton wrote: > There should already be a global lock held by API consumer, since the > socache provider is marked with AP_SOCACHE_FLAG_NOTMPSAFE. It looks like > mod_authn_socache is protecting entry to the socache provider inside a > global mutex without checking that flag - overkill but should be safe.
Ah, not true, it only does it for ->store(). The ->retrieve() calls are then unsafe and racy, that's definitely a bug.
