[development] Threading problems?

Dan Robinson dan at drob.org
Fri Sep 26 05:28:34 UTC 2008


I'm seeing a difficult to understand error that looks like a threading

My application

1. Takes data from an anonymous user (node add).
2. Creates a filename based on an md5 of a secret, the endusers email,
and time()
3. Saves data to the file
4. Sends an email to user with a link to the file created
5. Displays a "complete" page that has the link to the file.

Operations 2 and 3 happen within a single procedure

The filename is determined thusly:

    $filename = md5($conf['myapp_secret_salt'] +
$form_state['values']['Qualifyers']['Email'] + time());

Then I prepare data and write the file, then stash the filename in
$_SESSION (for use later)

    $_SESSION['myapp']['filename'] = $filename;
    $_SESSION['myapp']['UserRegFormUrl'] = $params['filenameurl'];
    setcookie('myapp:filename', $filename);  // this is somewhat of a
hack to trap errors - see below.
    drupal_mail('myapp', 'notify',
$form_state['values']['AdditionalQs']['Email'], NULL, $params, NULL, TRUE);

myapp_mail receives the filename from $params above, prepares and sends
an email with a link to the file to the end-user.

In step 1 above in the form I:

    $form['#redirect'] = 'registration/complete';

The node at registration/complete has some php in it that fetches the
global variables (with the filename) and outputs a link to the file in
the browser.

So that is the whole process.  The problem I'm having is that some users
are being pointed to files that belong to other users.  I believe this
is happening both in the email as well as on the registration/complete
form.  Some people have reported receiving links to files that were for
another user.  Also I put some trap code in the registration/complete
form. The form fetches the filename from $_SESSION and compares it to
the filename in the cookie - if they don't match it errors.  That code
is being tripped.

I looked at recent occurrence of the error and the two nodes involved
(one for each of the users) had exactly the same time created timestamp.

My assumptions have been:

- Anonymous sessions are tied to a particular connection and data in
$_SESSION is not shared.
- PHP procedures are threadsafe

I'm running PHP 5 on Red Hat.

What am I doing wrong?



More information about the development mailing list