You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an issue with the way Fiber's storage adapters handle setting keys. The current operation for setting a key is an UPSERT, which means it will insert a new key if it does not exist or update it if it does. This can lead to issues in scenarios with simultaneous requests altering the same session. For example:
One request destroys the session.
Another request makes an inconsequential change to the session.
If the session destruction completes first, the inconsequential change could recreate the session, potentially preventing actions like logging out and posing security risks.
Since PR #3016 changes the session behavior to save and update on every request, it amplifies the problem if not addressed.
Known Issue
Storage Adapter UPSERT Behavior
There is an issue with the way Fiber's storage adapters handle setting keys. The current operation for setting a key is an UPSERT, which means it will insert a new key if it does not exist or update it if it does. This can lead to issues in scenarios with simultaneous requests altering the same session. For example:
If the session destruction completes first, the inconsequential change could recreate the session, potentially preventing actions like logging out and posing security risks.
Since PR #3016 changes the session behavior to save and update on every request, it amplifies the problem if not addressed.
Originally posted by @sixcolors in #3016 (comment)
The text was updated successfully, but these errors were encountered: