Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-2349

Prevent session ID reuse due to lower-than-expected system clock resolution

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Unknown Unknown
    • 1.9.0, 1.8.5
    • Affects Version/s: 1.8.0, 1.8.4
    • Component/s: None
    • None

      In various conditions, time.Now() returns a time with lower-than-expected resolution (500μs to 15ms). The Go driver uses time.Now() to seed some pseudo-random number generators, including the one for generating session IDs here. Due to that, it's possible to start two processes that reproduce the same sequence of session IDs if they are started at almost the same time.

      Some known cases of low resolution clocks in Go:

      • On Windows with versions of Go before 1.16 (see here)

      See the proposal for monotonic clocks in Go for more details about how Go measures time using both wall clocks and monotonic clocks.

      For seeding all pseudo-random number generators in the Go driver, replace time.Now() with an int64 read from the "crypto/rand" random source.

            Assignee:
            matt.dale@mongodb.com Matt Dale
            Reporter:
            matt.dale@mongodb.com Matt Dale
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: