Tuesday, February 28th, 2006

AJAX and Session “Race Conditions”

Category: PHP, Programming

From the SitePoint PHP Blog, there’s a new post from Harry Fuecks that talks about issues concerning race conditions and Ajax.

He quotes Marc Wandschneider as saying, basically, that since PHP scripts are executed in their own little environment, there’s not so much worry about the access of more than one page at once on that instance. Ajax breaks this model, however, making it possible to pull several pages from different instances all into one place. This could cause a “race condition” with your session information on the server if not handled correctly.

Now before I go any further—this is not a PHP problem despite the title (I hope the web ring is paying attention)- this is is a feature of HTTP—it’s stateless. The problem is really the blurring of lines AJAX introduces—this goes right to the line between the two kinds of AJAX – is the client or the server managing state?

I’d broaden that a little—in short, using a stateless protocol like HTTP, any attempt to lock server side resources across requests will always be an ugly and potentially dangerous hack. For example, what if the client suffers a power cut, shortly after locking something?

In more references to quotes from Mr. Wandschneider, he also notes that the best way to deal with scripts/applications that might cause these sorts of problems is just to avoid them all together. More often than not, they’re just not worth the headaches they will cause. He also suggests that a move to a J2EE platform might not be the best answer if the bridging of session data across multiple sessions is needed, as suggested by Marc.

Posted by Chris Cornutt at 7:55 am

3.9 rating from 29 votes


Comments feed TrackBack URI

He even suggests a move to a J2EE platform if the bridging of session data across multiple sessions is needed.

Think you misread there – was actually pointing out the flawed thinking of someone believing J2EE is the magic bullet for all stateless HTTP issues (which it isn’t) – perhaps best just delete that.

Comment by Harry Fuecks — February 28, 2006

For sure J2EE is not silver bullet, but at least you can create servlet filter that creates semaphor on session. In other words only one session can be accessed by the user, other should wait.
I do not recall synchronization in PHP:(

Comment by Lukasz — February 28, 2006

flock()? You’re not serious, are you? That’s fine if you want to synch file access, but it’s not a catch-all.

Comment by Keith Gaughan — March 2, 2006

And flock is not supported on all platform.

Comment by emmanuel — March 20, 2007

Leave a comment

You must be logged in to post a comment.