New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Race condition in session establishment for concurrent requests #5531
Comments
Here is a python script raceme.zip which reproduces this on stable.opencast.org, with results like this - the script ends when a 500 internal server error is received, and the two related stack traces can be seen in https://stable.opencast.org/log/opencast.log
and
Note that it doesn't matter for this purpose that the LTI payload is not present. It's simply about establishing an opencast session, whether authenticated or not. |
Describe the bug
Multiple concurrent requests to an Opencast endpoint (in this case POST to the LTI servlet) can lead to a race condition inside jetty where one of the requests succeeds and the others fail to establish a session properly, returning a null session object.
It seems a similar issue to this one: jetty/jetty.project#4888
The full stack trace is:
To Reproduce
This showed up in our Opencast 14.x production system with customisations to support LTI Deep Linking, with multiple embedded LTI content launches on the same page in the LMS. It happens the first time around, when the browser sends an old JSESSION id cookie and Opencast is attempting to establish a new session. It doesn't happen when there's no JSESSIONID cookie sent at all (e.g. incognito mode browser) or when there is already a valid Opencast session established by a prior launch. Hence, refreshing the containing page in the LMS makes the problem appear to go away as all the launches succeed.
Server environment:
Opencast 14.x, admin+presentation node, Karaf 4.4.4 with jetty 9.4.52.v20230823
The text was updated successfully, but these errors were encountered: