0

I have a soap_server with acl. My client received user credentials from me to access the ws.

My problem is that my client uses threads to access my soap service. And on occasions I think that 2 threads login at the same time (using the same password and username). This causes my app to throw:

session has already been started by session.auto-start or session_start()

When running the code:

$identity = $auth->getIdentity();

I've searched the internet and found that this is a (common) problem in ZF? I couldn't find a solution. Is there something I should do when I do:

$authObject = $adapter->getResultRowObject(null, 'password');
$auth->getStorage()->write($authObject);

Do anyone know how to handle simultaneous access using the same password and username?

EDIT Would it be ok to do something like this:

$authObject = $adapter->getResultRowObject(null, 'password');
$authObject->uuid = uniqid();
$auth->getStorage()->write($authObject);

Would this increase the chance of avoiding collision if a user logs in with the same account? Is it a security risk to alter the authObject?

user439781
  • 131
  • 12

1 Answers1

0

I might be wrong on this but each session is separate on the web server.

So each authentication request should create a new session (new session id), regardless of how concurrent the two where.

I am guessing you are restarting the session somewhere thus getting this error.

mobius
  • 5,104
  • 2
  • 28
  • 41
  • I thought so too but found this: http://stackoverflow.com/questions/2418124/session-has-already-been-started-exception-in-zend-framework-application – user439781 Nov 13 '11 at 20:15
  • It only happens on sometimes (maybe 1 out of 1000). Any other ideas on the problem? – user439781 Nov 13 '11 at 20:17
  • Oh the question makes an important note. Are you sure session.autostart is 0? Even if you have set it on .htaccess are you sure it is changing? (is AllowOverride All?) – mobius Nov 13 '11 at 20:18
  • session.autostart is off, AllowOverride All is set in my virtualhost config file (default-ssl) – user439781 Nov 13 '11 at 20:21
  • hmm, I am using Zend_Auth/Zend_Session heavily and never has such an issue. If you can post more code to check. You could always get xdebug profiler and see exactly where session_start() is being called. – mobius Nov 13 '11 at 20:27
  • I can see that it has happend 10 times out of 10 000 ws calls today. I know they are using 2 threads. Im not using Zend_session. Im only using Zend_auth. – user439781 Nov 13 '11 at 20:30
  • Zend_Auth uses Zend_Auth_Storage_Session which in turn uses Zend_Session_Namespace which in turn uses Zend_Session. Do you have any session_start in your code? – mobius Nov 13 '11 at 20:37
  • no, its pretty straight forward. validate user using adapter, if valid I store the user as in my original post. I then check the role (all this is done i preDispatch). If everything is ok Im allowed access to my controller holding my soap_server. First thing in my soap call I get the identity of the user. Last thing in my soap controller I clear the identity. It works most of the times :) – user439781 Nov 13 '11 at 20:43