Hi, I'm seeing a difficult to understand error that looks like a threading issue. My application 1. Takes data from an anonymous user (node add). 2. Creates a filename based on an md5 of a secret, the endusers email, and time() 3. Saves data to the file 4. Sends an email to user with a link to the file created 5. Displays a "complete" page that has the link to the file. Operations 2 and 3 happen within a single procedure The filename is determined thusly: $filename = md5($conf['myapp_secret_salt'] + $form_state['values']['Qualifyers']['Email'] + time()); Then I prepare data and write the file, then stash the filename in $_SESSION (for use later) $_SESSION['myapp']['filename'] = $filename; $_SESSION['myapp']['UserRegFormUrl'] = $params['filenameurl']; setcookie('myapp:filename', $filename); // this is somewhat of a hack to trap errors - see below. drupal_mail('myapp', 'notify', $form_state['values']['AdditionalQs']['Email'], NULL, $params, NULL, TRUE); myapp_mail receives the filename from $params above, prepares and sends an email with a link to the file to the end-user. In step 1 above in the form I: $form['#redirect'] = 'registration/complete'; The node at registration/complete has some php in it that fetches the global variables (with the filename) and outputs a link to the file in the browser. So that is the whole process. The problem I'm having is that some users are being pointed to files that belong to other users. I believe this is happening both in the email as well as on the registration/complete form. Some people have reported receiving links to files that were for another user. Also I put some trap code in the registration/complete form. The form fetches the filename from $_SESSION and compares it to the filename in the cookie - if they don't match it errors. That code is being tripped. I looked at recent occurrence of the error and the two nodes involved (one for each of the users) had exactly the same time created timestamp. My assumptions have been: - Anonymous sessions are tied to a particular connection and data in $_SESSION is not shared. - PHP procedures are threadsafe I'm running PHP 5 on Red Hat. What am I doing wrong? Thanks, Dan
On Sep 25, 2008, at 10:28 PM, Dan Robinson wrote:
$filename = md5($conf['myapp_secret_salt'] + $form_state['values']['Qualifyers']['Email'] + time());
...
What am I doing wrong?
You're using arithmetic on your strings, not concatenation. Try this: $filename = md5($conf['myapp_secret_salt'] . $form_state['values'] ['Qualifyers']['Email'] . time()); I didn't completely audit the rest of your description, but that seems like the heart of the problem. Cheers, -Derek (dww)
oh - cool - much thanks - that potentially explains some of it. I changed the code and crossed my fingers. The part I still don't get is that when I get to the "confirmation" page, and am pulling values from $_SESSION, sometimes it seems that the sessions are getting crossed. To re-cap this part of the puzzle - - enter procedure, store value in $_SESSION and a cookie - leave procedure - drupal does a redirect - on that redirected page I check to see if the values in $_SESSION and cookie are the same - in high traffic situations I get intermittent errors here - values are NOT the same. I suspect this is a different problem. There is more detail in my original message. Thanks in advance, Dan
On Sep 25, 2008, at 10:28 PM, Dan Robinson wrote:
$filename = md5($conf['myapp_secret_salt'] + $form_state['values']['Qualifyers']['Email'] + time());
...
What am I doing wrong?
You're using arithmetic on your strings, not concatenation. Try this:
$filename = md5($conf['myapp_secret_salt'] . $form_state['values']['Qualifyers']['Email'] . time());
I didn't completely audit the rest of your description, but that seems like the heart of the problem.
Cheers, -Derek (dww)
On Fri, Sep 26, 2008 at 8:57 AM, Dan Robinson <dan@drob.org> wrote:
The part I still don't get is that when I get to the "confirmation" page, and am pulling values from $_SESSION, sometimes it seems that the sessions are getting crossed. To re-cap this part of the puzzle -
Rather than storing the data in $_SESSION I think you could use a drupal_set_message ( see http://api.drupal.org/api/function/drupal_set_message for details). It shows a specific message to a user based on their session. Regards, Greg -- Greg Knaddison Denver, CO | http://knaddison.com | 303-800-5623 Growing Venture Solutions, LLC | http://growingventuresolutions.com
Hmmm... Interesting idea. But I'm not sure that would work from a user flow point of view. My bigger question still stands which is: How is it that I set the value in a cookie and in $_SESSION, test later and they don't match? This is an intermittent problem under load. Thanks, Dan
On Fri, Sep 26, 2008 at 8:57 AM, Dan Robinson <dan@drob.org> wrote:
The part I still don't get is that when I get to the "confirmation" page, and am pulling values from $_SESSION, sometimes it seems that the sessions are getting crossed. To re-cap this part of the puzzle -
Rather than storing the data in $_SESSION I think you could use a drupal_set_message ( see http://api.drupal.org/api/function/drupal_set_message for details).
It shows a specific message to a user based on their session.
Regards, Greg
On Fri, Sep 26, 2008 at 9:36 PM, Dan Robinson <dan@drob.org> wrote:
Hmmm... Interesting idea. But I'm not sure that would work from a user flow point of view.
My bigger question still stands which is:
How is it that I set the value in a cookie and in $_SESSION, test later and they don't match?
This is an intermittent problem under load.
Thanks,
It's strange, i think that you have to write some test for reproducing this kind of behaviour. You are working with IIS ? Fastcgi ? ISAPI ? Linux. More details please :) -- Paolo Mainardi Vice Presidente Assoc.ILDN (http://www.ildn.net) Blog: http://www.mainardipaolo.org
participants (4)
-
Dan Robinson -
Derek Wright -
Greg Knaddison - GVS -
Paolo Mainardi