mirror of
https://github.com/zulip/zulip.git
synced 2025-10-23 04:52:12 +00:00
e6eace307e
Clearing the sessions inside the transaction makes Zulip vulnerable to a narrow window where the deleted session has not yet been committed, but has been removed from the memcached cache. During this window, a request with the session-id which has just been deleted can successfully re-fill the memcached cache, as the in-database delete is not yet committed, and thus not yet visible. After the delete transaction commits, the cache will be left with a cached session, which allows further site access until it expires (after SESSION_COOKIE_AGE seconds), is ejected from the cache due to memory pressure, or the server is upgraded. Move the session deletion outside of the transaction. Because the testsuite runs inside of a transaction, it is impossible to test this is CI; the testsuite uses the non-caching `django.contrib.sessions.backends.db` backend, regardless. The test added in this commit thus does not fail before this commit; it is merely a base expression that the session should be deleted somehow, and does not exercise the assert added in the previous commit.