Skip to content

Don't re-use DefaultHttpContext if IHttpContextAccessor is in use #15049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 17, 2019
Merged

Don't re-use DefaultHttpContext if IHttpContextAccessor is in use #15049

merged 2 commits into from
Oct 17, 2019

Conversation

davidfowl
Copy link
Member

@davidfowl davidfowl commented Oct 16, 2019
edited
Loading

  • Consumers may still get null or an ODE but will never end up with data from a different request.
  • Make sure an ODE is thrown from all properties on HttpContext after the request is over.

Fixes #14975

cc @benaadams

@davidfowl
Don't re-use DefaultHttpContext if IHttpContextAccessor is in use
7bcb0cd 
- Consumers may still get null or an ODE but will never end up with data from a different request.
- Make sure an ODE is thrown from all properties on HttpContext after the request is over.
@davidfowl davidfowl added this to the 5.0.0-preview1 milestone Oct 16, 2019
@davidfowl davidfowl self-assigned this Oct 16, 2019
davidfowl
davidfowl commented Oct 16, 2019
View reviewed changes
src/Hosting/Hosting/test/HostingApplicationDiagnosticsTests.cs
using Moq;
using Xunit;

namespace Microsoft.AspNetCore.Hosting.Tests
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These aren't new but I renamed files (my bad).

  • HostingApplicationDiagnosticsTests used to be HostingApplicationTests
  • HostingApplicationTests contain the new tests

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I uses git mv to ensure it git picks up file renames

benaadams
benaadams approved these changes Oct 16, 2019
View reviewed changes
Copy link
Member

@benaadams benaadams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh that's nice :)

Tratcher
Tratcher reviewed Oct 16, 2019
View reviewed changes
@davidfowl
Copy link
Member Author

@anurse, this is something we should patch in the 3.1 timeframe

@davidfowl davidfowl merged commit 16be9a2 into master Oct 17, 2019
@davidfowl davidfowl deleted the davidfowl/remove-accessor-pooling branch October 17, 2019 00:09
@analogrelay
Copy link
Contributor

Who approved this for 3.1?

@davidfowl
Copy link
Member Author

@anurse nobody, it's in master

@analogrelay
Copy link
Contributor

analogrelay commented Oct 18, 2019
edited
Loading

Horp, missed that. Sorry! :)

@davidfowl
Copy link
Member Author

I still think we should backport this to 3.1. I'll open an issue (or can I just do a PR?)

@Pilchie
Copy link
Member

Pilchie commented Apr 13, 2020

PR is fine.

davidfowl added a commit that referenced this pull request Apr 15, 2020
@davidfowl
Don't re-use DefaultHttpContext if IHttpContextAccessor is in use (#1…
055dd65 
…5049)

* Don't re-use DefaultHttpContext if IHttpContextAccessor is in use
- Consumers may still get null or an ODE but will never end up with data from a different request.
- Make sure an ODE is thrown from all properties on HttpContext after the request is over.
wtgodbe pushed a commit that referenced this pull request Apr 15, 2020
@davidfowl
Don't re-use DefaultHttpContext if IHttpContextAccessor is in use (#1…
1b99352 
…5049) (#20844)

* Don't re-use DefaultHttpContext if IHttpContextAccessor is in use
- Consumers may still get null or an ODE but will never end up with data from a different request.
- Make sure an ODE is thrown from all properties on HttpContext after the request is over.
@ldwedari
Copy link

If possible, this should be backported to 2.1 and 2.2 as soon as possible. It pottentially can cause serious issues to existing applications with wrong impersonation.

@davidfowl
Copy link
Member Author

This never existed on 2.2 and 2.1 that’s a different issue.

@ldwedari
Copy link

ldwedari commented Jul 10, 2020
edited
Loading

This never existed on 2.2 and 2.1 that’s a different issue.

@davidfowl I created this demonstration based on the code that you posted in #14975.
In 2.1.19 (master branch) there is a data race. But in 3.1.5 (TestWithNetCore3_1 branch) I cannot see it happening.

Is my test wrong? If it is correct, does this actually happens in 3.1.5?

@ldwedari
Copy link

Just a clarification. I cannot reproduce the data race issue with HttpContext in asp.net core 2.2. But it does occur with all versions of 2.1.

@davidfowl
Copy link
Member Author

@ldwedari This is using IIS or Kestrel?

@ldwedari
Copy link

ldwedari commented Jul 16, 2020
edited
Loading

@davidfowl Kestrel. In fact, in my test I removed the IIS configuration from launchsettings.json.

@davidfowl
Copy link
Member Author

davidfowl commented Jul 16, 2020
edited
Loading

I had to dig into the code archives to remember the 2.1 behavior. In 2.1 we never cleared the HttpContext state after the request is over which means its entirely possible to get values from the next request since the HttpContext points to the same feature collection when using Kestrel on the same connection.

This isn't related to the HttpContextAccessor itself, but it would also happen if you held onto the HttpContext longer than the request.

@amcasey amcasey added the area-hosting Includes Hosting label Jun 1, 2023
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Aug 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benaadams benaadams benaadams approved these changes

@Tratcher Tratcher Tratcher approved these changes

@analogrelay analogrelay Awaiting requested review from analogrelay

@jkotalik jkotalik Awaiting requested review from jkotalik

Assignees

@davidfowl davidfowl

Labels
area-hosting Includes Hosting area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Projects
None yet
Milestone
5.0.0-preview1
Development

Successfully merging this pull request may close these issues.

IHttpContextAccessor cannot be used reliably in some scenarios
7 participants
@davidfowl @analogrelay @Pilchie @ldwedari @benaadams @Tratcher @amcasey