dph6308 2016-07-14 11:39
浏览 60

会话重新生成导致快速AJAX调用的过期会话

My application is a full AJAX web page using Codeigniter Framework and memcached session handler.

Sometimes, it sends a lot of asynchronous calls and if session has to regenerate its ID (to avoid session fixation security issue), the session cookie is not renewed fast enough and some AJAX calls fail due to session id expired.

Here is a schematic picture I made to show clearly the problem : enter image description here

I walked across the similar threads (for example this one) but the answers doesn't really solve my problem, I can't disable the security as there is only AJAX calls in my application.

Nevertheless, I have an Idea and I would like an opinion before hacking into the Codeigniter session handler classes : The idea is to manage 2 simultaneous session Ids for a while, for example 30 seconds. This would be a maximum request execution time. Therefore, after session regeneration, the server would still accept the previous session ID, and switch to session to the new one. Using the same picture that would give something like this :

enter image description here

  • 写回答

2条回答 默认 最新

  • dongliao2011 2016-07-17 20:22
    关注

    your problem seems to be less with the actual speed of the requests (though it is a contributing factor) but more with concurrency. If i understand right, your javascript application makes many (async) ajax calls - fast (presumably in bursts)- and sometimes some of them fail due to session invalidation due to what you think is speed of requests issue. Well i think that the problem is that you actually have several concurrent requests to the server, while the first one has its session renewed the other essentially cannot see it because the request is already made and waits to be processed by the server.

    This problem will of course manifest itself only when doing several requests for the same user simultaneously.

    Now The real question here - what in your application business logic demands for this?

    It looks to me that you are trying to find a technical solution to a 'business' problem. What i mean is that either you've mis-interpreted your requirements, or the requirements are just not that well thought/specified.

    I would advice you to try some of the following:

    • ask yourself if these multiple simultaneous requests can be combined to one

    • look deeply into the requirements and try to find the real reason why you do what you do, maybe there is no real business reason for this

    • every time before you fire the series of requests fire a 'refresh' ajax request to get the new session, and only on success proceed with all the other requests

    Hope some of what i've wrote help to guide you to solution. Good luck

    评论

报告相同问题?

悬赏问题

  • ¥20 基于MSP430f5529的MPU6050驱动,求出欧拉角
  • ¥20 Java-Oj-桌布的计算
  • ¥15 powerbuilder中的datawindow数据整合到新的DataWindow
  • ¥20 有人知道这种图怎么画吗?
  • ¥15 pyqt6如何引用qrc文件加载里面的的资源
  • ¥15 安卓JNI项目使用lua上的问题
  • ¥20 RL+GNN解决人员排班问题时梯度消失
  • ¥60 要数控稳压电源测试数据
  • ¥15 能帮我写下这个编程吗
  • ¥15 ikuai客户端l2tp协议链接报终止15信号和无法将p.p.p6转换为我的l2tp线路