yii2-redis icon indicating copy to clipboard operation
yii2-redis copied to clipboard

Published 20 hours ago verified publisher icon yiisoft

Redis locking session

Open malsatin opened this issue 6 years ago • 11 comments

Is that possible to add session locking functionality to redis sessions? That has been added 1 year ago to phpredis: https://github.com/phpredis/phpredis/pull/1181

Probably, this easiest wy to do that is to move to ext-redis (as this guy did https://github.com/dcb9/yii2-phpredis)

Could be enabled with such setting.

'components' => [
   ...
   'session' => [
      ...
      'locking' => true/false,
   ]
]

malsatin avatar Jul 05 '18 01:07 malsatin

could you briefly explain why you need this feature? As far as I see session writes are atomic with redis so there should not be a need for locking. What am I missing?

cebe avatar Jul 13 '18 21:07 cebe

That may be usefull for user state syncronisation

malsatin avatar Jul 13 '18 22:07 malsatin

what exactly is locked there and how long?

cebe avatar Jul 13 '18 22:07 cebe

For example, user has some balance. If we use locking session then chance of race condition on wallet changes is neligible. Plus, althought redis writes are atomic this does not mean that some session data(i.e. flash messages) may be overwritten due to race condition

malsatin avatar Jul 13 '18 22:07 malsatin

So you want to lock session data for the time of the request (the time the session is open)?

cebe avatar Jul 13 '18 22:07 cebe

Yes. Exactly like usual php sessions do

malsatin avatar Jul 13 '18 23:07 malsatin

@samdark any ETA on this feature?

dmftaras avatar Oct 02 '20 05:10 dmftaras

AFAIK no one is working on this ATM. Would you like to prepare PR?

bizley avatar Oct 02 '20 08:10 bizley

I'm wondering if this could be related to an issue I'm having with Redis sessions. When a long-running request (such as dataProvider query in PJAX) is cancelled or terminated early, the user is logged out; it seems like it is most likely to happen when there are XHR requests in-flight that also use the session. Another way that is can happen is if two different browsers are using the same session at the same time. Does anyone on this thread know why that might happen? It's almost as if the request has to get to the end in order to stabilize the state of the session object in Redis; but I don't believe that's how the session handlers work. Would a failure to session->set() result in a logout in this case?

synatree avatar Oct 28 '20 13:10 synatree

@synatree have you tried to trace, what is happening during such problem? What is the contents of the Redis session value before the request, during the request and after the request?

malsatin avatar Oct 28 '20 14:10 malsatin

I've been revisiting the issue today and I think it is likely related to CSRF tokens being generated "too many times" and causing the session to be destroyed (due to a forced log out) between ajax requests or something like that. In other words, I'm not sure it's related to Redis at all, but once I trace it out I'll report back.

synatree avatar Oct 28 '20 14:10 synatree