I’m the author of the offending blog post, and I’ve just created an account on this forum to address WanWizard’s concerns.
First of all, I should point out that I don’t regularly visit this forum, and so am guilty of not reading your version of this ‘fix’ that you’ve already proposed. You’ll have to take my word on this because I don’t have any other proof that I was not aware of your previous post. Also, as I am not in academia any more, I did not feel the need to rigorously define what I mean by “race condition” because I feel that the term adequately conveys what I am trying to describe.
My intention was to document a problem I’ve run across mainly so that I wouldn’t have remember the details the next time I have to deal with it (probably the next time I needed to sync up to the ‘develop’ branch) and I had hoped that it would be useful to someone else (which is why most people write technical posts).
I am aware that there exists multiple solutions to this class of problem, of which the one I proposed is one of the “standard” ones (I mention that in the blog post), so I’m not surprised that you’ve also come up with it. I apologize if I have inadvertently duplicated your code down to structure and variable names, and am very surprised to have run across someone who thinks in exactly the same way.
I am also aware of the limitations of this hack, and I do mention that, but I suppose I could have elaborated on it a bit more. I wrote: “With the default session rotation time of 5 minutes, only two session_id values need to be stored because each request round trip time is expected to be well less than the rotation time.”
This works for my purposes because I don’t expect the requests I handle to continue for that long, and I feel that is the most common case for traffic that CodeIgniter handles (although this is purely speculation on my part).
If you had read my post, you would have seen that I quoted the current ‘develop’ branch’s sess_update function: “if ($this->CI->input->is_ajax_request())”, but I did not feel that the solution was sufficient because I’ve run into situations where two concurrent non-ajax requests occurred. Although you claim that concurrent requests are not part of the design, and you probably don’t have to support that case, it is a requirement for me and I appreciate the fact that CodeIgniter allows me the flexibility to handle something that isn’t supported by its current design.
Finally, I disagree that a permanent fix would require a redesign of the session class: the other “standard” solution is to keep track of all previously generated session ids (with the requirement that no session id may be reused), and handle any requests using them. This could be implemented by keeping an indexed list of those old session ids, or even by duplicating an existing session id row with the old session id before updating it to the new session id. This should work as long as pointers are kept to the most current session id. An implementation of this could use the same table structure as the solution I proposed. For completeness, I will mention that it should be sufficient to limit the number of old session ids that are tracked so that the total time that is tracked is only slightly greater than the maximum time required to be tracked.
Because this is a standard solution (of which my blog post refers to a degenerate case), you may have very well proposed this before me, and I will apologize again if you did.