www.cendio.com
Bug 5953 - session limit can be exceeded through race in newsession
: session limit can be exceeded through race in newsession
Status: NEW
: ThinLinc
VSM Server
: pre-1.0
: PC Unknown
: P2 Normal
: MediumPrio
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-07-14 13:32 by
Modified: 2017-04-18 13:13 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2016-07-14 13:32:53
The handler for "newsession" has a race in it where both
/vsmserver/max_sessions_per_user and the license limit can be exceeded with the
right timing.

The problem is that both of these limits are checked before we do any changes
to the session database. So multiple newsession calls could be running
concurrently, and all get through.

One easy method of provoking this is by quickly clicking the login button in
the HTML client multiple times.
------- Comment #2 From cendio 2016-07-14 14:02:06 -------
(In reply to comment #0)
> One easy method of provoking this is by quickly clicking the login button in
> the HTML client multiple times.

Unless you're a Firefox user, since Firefox has protection against submitting a
form multiple times. :)

Chrome and Internet Explorer will however happily spam the server.
------- Comment #4 From cendio 2017-03-31 14:46:20 -------
Moving from 'MediumPrio' to '--' for discussion.

Through following the test instructions found here
https://intranet.lkpg.cendio.se/ThinLinc/Testing/Server#License_checks_.28C.29
I can reproduce both with 4.7.0post build 5404 and 4.7.0 server using the
native ThinLinc client.

> 2017-03-31 14:23:30 INFO vsmserver.license: License summary: 5 concurrent users. Hard limit of 6 concurrent users. 
> 2017-03-31 14:23:30 INFO vsmserver.session: Loaded 0 sessions for 0 users from file
> 2017-03-31 14:27:10 INFO vsmserver.session: User with uid 1003 (user1) requested a new session
> 2017-03-31 14:27:11 INFO vsmserver.session: User with uid 1004 (user2) requested a new session
> 2017-03-31 14:27:12 INFO vsmserver.session: User with uid 1005 (user3) requested a new session
> 2017-03-31 14:27:13 INFO vsmserver: VSM Agent 127.0.0.1 successfully created a new session for user1
> 2017-03-31 14:27:13 INFO vsmserver.session: User with uid 1006 (user4) requested a new session
> 2017-03-31 14:27:13 INFO vsmserver: VSM Agent 127.0.0.1 successfully created a new session for user2
> 2017-03-31 14:27:14 INFO vsmserver.session: User with uid 1007 (user5) requested a new session
> 2017-03-31 14:27:14 INFO vsmserver: VSM Agent 127.0.0.1 successfully created a new session for user3
> 2017-03-31 14:27:15 INFO vsmserver.session: User with uid 1008 (user6) requested a new session
> 2017-03-31 14:27:16 INFO vsmserver: VSM Agent 127.0.0.1 successfully created a new session for user4
> 2017-03-31 14:27:16 INFO vsmserver.session: User with uid 1009 (user7) requested a new session
> 2017-03-31 14:27:17 INFO vsmserver: VSM Agent 127.0.0.1 successfully created a new session for user5
> 2017-03-31 14:27:17 INFO vsmserver.session: User with uid 1010 (user8) requested a new session
> 2017-03-31 14:27:17 WARNING vsmserver.license: LICENSE VIOLATION: New session will exceed allowed use of 5 concurrent users. Hard limit of 6 concurrent users. 5 unique users currently running 5 sessions using 5 licenses
> 2017-03-31 14:27:18 INFO vsmserver: VSM Agent 127.0.0.1 successfully created a new session for user6
> 2017-03-31 14:27:18 INFO vsmserver.session: User with uid 1011 (user9) requested a new session
> 2017-03-31 14:27:18 WARNING vsmserver.license: LICENSE VIOLATION: Hit max number of concurrent users. Not allowing session for user9
> 2017-03-31 14:27:19 INFO vsmserver: VSM Agent 127.0.0.1 successfully created a new session for user7
> 2017-03-31 14:27:19 INFO vsmserver.session: User with uid 1012 (user10) requested a new session
> 2017-03-31 14:27:19 WARNING vsmserver.license: LICENSE VIOLATION: Hit max number of concurrent users. Not allowing session for user10
> 2017-03-31 14:27:20 INFO vsmserver: VSM Agent 127.0.0.1 successfully created a new session for user8
> 2017-03-31 14:27:20 INFO vsmserver.session: User with uid 1013 (user11) requested a new session
> 2017-03-31 14:27:20 WARNING vsmserver.license: LICENSE VIOLATION: Hit max number of concurrent users. Not allowing session for user11
------- Comment #5 From cendio 2017-04-04 15:29:45 -------
The double click of the login button has been moved to bug 6223 and this bug is
now exclusively about the server issues.