Skip to content

[Bug]: TOCTOU race allows bypassing MAX_SESSIONS limit under concurrent session creation #372

Description

@hariom888

Bug Description

createSession (backend/controllers/sessionController.js) checks the session count via Session.countDocuments({ user: userId }) against MAX_SESSIONS, then creates a new Session afterward. There is no atomicity between the count check and the create, so concurrent requests can each read the same pre-creation count and independently pass the check.

Steps to Reproduce

  1. Authenticate as a user sitting at MAX_SESSIONS - 1 sessions.
  2. Fire several concurrent POST requests to /api/sessions/create (e.g. via Promise.all).
  3. Check the user's total session count via GET /api/sessions/my-sessions afterward.

Expected Behavior

At most one of the concurrent requests should succeed once the user reaches MAX_SESSIONS; all others should be rejected with the session-limit error.

Actual Behavior

Multiple concurrent requests all pass the countDocuments check and all successfully create sessions, allowing the user's total session count to exceed MAX_SESSIONS.

Severity

Low

Screenshots / Screen Recording

No response

Browser

No response

Operating System

No response

Additional Context

No response

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions