0

I'm a newbie at programming with AJAX and beginner at PHP programming. I'm not sure why, but when a user clicks an arrow to "Upvote" a post repeatedly and very fast, the PHP login_check decides that the user is no longer logged in. The program works if I click the arrow at a normal speed, but when I rapid fire it gets weird.

PHP code:

<?php

include "db_connect.php";
include "functions.php";

sec_session_start();

I was wondering if this is a definite case of race conditions and what I could do to prevent it--

AJAX code:

$(document).ready(function() {

$("#upvotearrow").click(function() {
    setTimeout(function() { }, 500);
    $resdiv=$("#upvotedownvote_resultalert");
    $content=$("#upvotedownvote_resultalert_content");
    $.ajax({
        type: "POST",
        url: "../secure/process_upvotedownvote.php",
        data: { vote: "upvote", poemid: $("#poemidfield").val() },
        dataType:"HTML"
    })
    .done(function(param) {
        if (param=="true_upvote") {
            $content.html("Upvote registered!");
            $resdiv.css("visibility", "visible");
        }

        else {
            $content.html("Invalid request");
            $resdiv.css("visibility", "visible");
        }
    });         
});

$("#downvotearrow").click(function() {
    setTimeout(function() { }, 500);
    $resdiv=$("#upvotedownvote_resultalert");
    $content=$("#upvotedownvote_resultalert_content");
    $.ajax({
        type: "POST", //POST data
        url: "../secure/process_upvotedownvote.php", //Secure upvote/downvote PHP file
        data: { vote: "downvote", poemid: $("#poemidfield").val() }, //Get type of vote and poem_id in URL
        dataType:"HTML" //Set datatype as HTML to send back params to AJAX function
    })
    .done(function(param) { //Param- variable returned by PHP file
        if (param=="true_downvote") {
            $content.html("Downvote registered!");
            $resdiv.css("visibility", "visible");
        }

        else {
            $content.html("Invalid request");
            $resdiv.css("visibility", "visible");
        }
    });
});

    });

The website with a live demo can be viewed here.

TO LOG IN, JUST USE THIS EMAIL: [email protected] AND THIS PASSWORD: asdf123

Thanks in advance for any advice!

Improve this question

1 Answer 1

Reset to default
1

I don't know about the race condition (which is likely but shouldn't mess with the session unless it is getting regenerated every time). Anyway, if I were you, I would disable the upvote/downvote button right after the first click.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Oh crap- the sec_session function does regenerate session Id-- here's a snippet session_start(); session_regenerate_id(true); // regenerated the session, delete the old one. What should I do now? Rerwite a special sec_session() function just for the upvote/downvote? I don't want to disable the button because I 1) want to allow people to change upvotes->downvotes and vice versa and 2) it would be insecure because they could just alter the javascript
Well, unless someone better informed than me advices otherwise, I don't think you need to regenerate the session every time. Just make sure you do regenerate the session upon user login to prevent session-fixation attacks. Also, you incur a slight performance penalty (which might be acceptable anyway) if you regenerate every time: generate new random, non-existent token; serialize session contents and store it into new file; delete old file; set new session id through PHPSESSID cookie...
Dude thank you so much! I searched Stack Overflow for session_regenerate_id security issues and every post I read agreed with you that it wasn't necessary. You saved me from a wild goose chase about race conditions. Thank you again so much!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.