SessionsLoadFromFile breaks all session after restart

vs · 2026-03-22 13:16:11

SessionsLoadFromFile breaks all session lookups due to fSessionCounterMin mismatch after restart

When using SessionsSaveToFile/SessionsLoadFromFile (or Shutdown with a state file) for session persistence across restarts, all session lookups via LockedSessionFind fail after the server restarts.

Root cause:
- In TRestServer.Create, fSessionCounterMin := Random32(1 shl 20) + 10 (a new random value on every startup, up to ~1,048,585)
- SessionsLoadFromFile restores fSessionCounter from the file, but fSessionCounterMin stays at the new random value
- LockedSessionFind checks: if (aSessionID <= fSessionCounterMin) or (aSessionID > cardinal(fSessionCounter)) then exit;
- For any small deployment where saved fSessionCounter < new fSessionCounterMin, ALL sessions (loaded and newly created) are silently rejected

This makes SessionsSaveToFile/SessionsLoadFromFile effectively broken for any server with fewer than ~1 million total logins (which is most deployments).

Proposed fix in SessionsLoadFromFile, after restoring fSessionCounter:
fSessionCounter := PCardinal(R.P)^;
fSessionCounterMin := 0; // allow all loaded session IDs to pass bounds check

Setting fSessionCounterMin=0 is safe because session IDs 0 and 1 (CONST_AUTHENTICATION_NOT_USED/NOT_STARTED) are rejected by the caller before LockedSessionFind is ever reached.

Regression from mORMot1: the old TSQLRestServerDB.Shutdown(filename) + SessionsLoadFromFile pattern worked reliably in mORMot1 because fSessionCounterMin was not randomized.

ab · 2026-03-22 13:45:09

Nice finding.

The regression tests were indeed not enough to identify it, because it did reuse the same fSessionCounterMin.

Should be fixed by https://github.com/synopse/mORMot2/commit/b323ab692

vs · 2026-03-22 14:11:19

Arnaud, you're amazing as always.

I barely finished my coffee before we received the fix.

My sincere respect and gratitude!

Added...
Checked, fix works!

Last edited by vs (2026-03-22 14:24:39)

ab · 2026-03-22 22:01:42

You made a proper investigation, so it was easy to fix.

Thanks to you!

mORMot Open Source

#1 2026-03-22 13:16:11

SessionsLoadFromFile breaks all session after restart

#2 2026-03-22 13:45:09

Re: SessionsLoadFromFile breaks all session after restart

#3 2026-03-22 14:11:19

Re: SessionsLoadFromFile breaks all session after restart

#4 2026-03-22 22:01:42

Re: SessionsLoadFromFile breaks all session after restart

Board footer