For an application that I am building, we are using Redis as the session storage medium.
The other day, one of our testers noted that when he logged out and then immediately tried to access a protected URI (within about 1 second of logging out), his old session data was still being used.
Stepified:
- User logs in as Account A.
- User logs out.
- User immediately accesses protected URI.
- User is logged in as Account A again.
I think what is happening is this:
- User logs out, so application clears the user’s session and sends the empty session to Redis for storage.
- Before the change “takes”, the user accesses a different resource (e.g., the sign-in form or a protected URI).
- The application requests the session from Redis, which still contains the logged-in session values.
- The application sends the updated session back to Redis, overwriting the logged-out session.
Is this a correct diagnosis? Does Redis have a delay between accepting a SET and actually updating the stored value? Or should I be investigating something in my application logic?
There is no delay in the execution of SET command. If redis-server returns successfully, and your client library reports a success – you can be sure that redis has written the data.
I’d recommend looking at your application stack. Perhaps the session handler is invalidating sessions asynchronously?