undefined | Better HN

0 pointsuseerup4y ago0 comments

I've seen something like this happen because of a race issue during login. Basically the developer(s) had refactored something and were not aware that a global variable was being captured by a closure used for auth.

This meant that whenever two users signed in at the exact same time, there was a non-negligible chance that they swapped accounts during the flow.

It was actually not that easy to spot in the code. Sometimes what looks really, really stupid on the surface may in fact have a complicated and not-so-stupid explanation, often involving multiple developers and modernizing legacy code.

If it is a race condition, it can be incredibly hard to find during test.

Even if it is a stupid mistake, like e.g. not marking session cookies as secure and private, it does not mean that all of the rest of the code is bonkers.

0 comments

bagacrap4y ago

use of a global variable seems pretty stupid in fact, and easy to spot

useerupOP4y ago

> and easy to spot

Not always. Like if you initialize middleware by using a "lambda" (closure), and you from within that closure creates a new closure.

It means that you need to be aware of the context the outer closure is used in. If it is only instantiated once during initialization, it's free variables are in essence "hidden" global variables. Not easy to spot.

j / k navigate · click thread line to collapse