[SERVER-37702] config.transactions entry should not include the uid portion of the LogicalSessionId Created: 22/Oct/18  Updated: 27/Oct/23  Resolved: 23/Oct/18

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.1.4
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Randolph Tan Assignee: [DO NOT USE] Backlog - Sharding Team
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-37701 Make SessionUpdateTracker include the... Closed
Assigned Teams:
Sharding
Operating System: ALL
Participants:

 Description   

Consequently, the SessionsCatalog should only include the uuid and not the uid as well.



 Comments   
Comment by Mira Carey [ 23/Oct/18 ]

100%, lsids have to be uid + id.  The uid is the part that's validated and prevents users from spoofing each other.

It was never intended that the id be used by itself for anything (other than allowing clients to "create" lsids without talking to the server. I.e. after ingress, the intention was that we would always fill in the uid portion and the bare id would never be used)

Comment by Andy Schwerin [ 23/Oct/18 ]

I believe this is incorrect. In order to prevent a malicious user from interfering with another user, the user id must be a component of the lsid in all comparisons. That prevents the malicious user from choosing another user's lsid to cause harm.

Comment by Kaloian Manassiev [ 23/Oct/18 ]

I think this is a pretty significant upgrade work, because we already have unique index on that collection (and config.system.sessions as well) so that would have to be done under an FCV transition.

Also, if there are two sessions in the table with the same UID, they will have to be merged together using some logic. Perhaps the latest transaction wins?

Generated at Thu Feb 08 04:46:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.