Can you help me with wireshark and see if the ajax requests send or not back he cookie? What browser did you use? Can you reproduce with multiple browsers?
My explanations must be wrong because the two sessions would not get the same id. On Sep 19, 8:53 pm, DenesL <[email protected]> wrote: > On Sep 19, 7:52 pm, Massimo Di Pierro <[email protected]> > wrote: > > > I did not try reproduce this but I can see a race condition caused by > > the browser. I make a guess. > > Actually it is pretty simple to reproduce. > As posted above, there is an index page containing several LOAD > commands. > To keep it simple, say there is only 2 of them, each of them loads a > form. > > > When the page is loaded there is no session. Depending on the browser > > it performs two ajax loads. There are three concurrent requests, the > > outer page, and the two ajax requests. > > I believe there are only two concurrent requests, the LOAD ones, the > index has already been served. > > > There is noway to tell in which > > order the complete not if one of them completes before the other two. > > True > > > Each of them gets issued a session. None of those requests knows there > > is another request going on handled in parallel by another thread. > > Each gets a session but it is the same session (same hash as per > prints above). > If somehow they could get different sessions then the problem would > not exist. > > > The last session returned is stored in the cookies and the other ones > > are forgotten. My guess is that if you have a landing page without > > ajax and then redirect to the page in question, there is no problem. > > > If my guess it right this cannot be fixed unless there is a js way to > > make sure ajax requests are executed after the outer page has stored > > the session cookie. > > Maybe there is a way to distinguish LOAD sessions coming from the same > page. > Currently any simultaneously LOADed form might have to be clicked > twice before it works, at random, so sometimes you have to click it > once sometimes twice, annoying the user which is never good policy. > This limits the use of components. > Lets give this some more thought.
