This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 RevCodePersistentAntiPatterndotNet"
| Line 12: | Line 12: | ||
Locking data for the time the request takes will not solve this problem. Using locks in database are absolutely not recommend since they required careful implementation planning and design.(Freeman, pg 179 ,2011) | Locking data for the time the request takes will not solve this problem. Using locks in database are absolutely not recommend since they required careful implementation planning and design.(Freeman, pg 179 ,2011) | ||
| − | Example locking code | + | == Race conditions == |
| + | If the following is run on more than one thread, it will randomly crash. It is not possible to | ||
| + | know deterministically whether the code will throw an ArgumentOutOfRangeException. Sometimes it will, | ||
| + | sometimes it won’t. | ||
| + | |||
| + | IList<string> list = new List<string>(); | ||
| + | list.Add("Hello"); | ||
| + | … | ||
| + | // multi-threaded code | ||
| + | if(list.Count > 0) | ||
| + | { | ||
| + | list.RemoveAt(0); | ||
| + | } | ||
| + | |||
| + | In that case a locking can be used, however using locks as mentioned earlier should be consider as an option if it is absolutely necessary. | ||
| + | |||
| + | Example locking code | ||
object lockObj = new object(); | object lockObj = new object(); | ||
IList<string> list = new List<string>(); | IList<string> list = new List<string>(); | ||
| Line 25: | Line 41: | ||
} | } | ||
} | } | ||
| + | |||
==Recommendations== | ==Recommendations== | ||
Revision as of 02:39, 18 June 2013
.NET Anti-Pattern: Mishandled Concurrency
The correct concurrency management techniques is absolutely necessary in order to guarantee data integrity. A way to implement proper concurrency consists in creating a concurrency token which will be checked from the moment the entity object in the database was read until the moment when the submission will be executed. Prior to commit the final changes, the application must execute control where the concurrency token will be compared. If the token differs, conclusions can be drawn that indeed the data has been changed by another user.
The Entity Framework supports optimistic concurrency, unfortunately exceptions derived from errors encountered between the updates are not automatically handled, neither this will protect your data from corrupting.
Avoid Locks
Another anti-pattern approach used by many developers is to lock regions in the database.Web applications are not properly suited for using locking which will indeed freeze the application. Locking data for the time the request takes will not solve this problem. Using locks in database are absolutely not recommend since they required careful implementation planning and design.(Freeman, pg 179 ,2011)
Race conditions
If the following is run on more than one thread, it will randomly crash. It is not possible to know deterministically whether the code will throw an ArgumentOutOfRangeException. Sometimes it will, sometimes it won’t.
IList<string> list = new List<string>();
list.Add("Hello");
…
// multi-threaded code
if(list.Count > 0)
{
list.RemoveAt(0);
}
In that case a locking can be used, however using locks as mentioned earlier should be consider as an option if it is absolutely necessary.
Example locking code
object lockObj = new object();
IList<string> list = new List<string>();
list.Add("Hello");
…
// multi-threaded code
lock(lockObj)
{
if(list.Count > 0)
{
list.RemoveAt(0);
}
}
Recommendations
- The best option in this case is to alert the user who initiated the second request that his changes cannot be applied. "This is largely because, by definition, the first request will already have
completed".(Freeman,pg 179,2011)
- A recommended pattern when using the Entity Framework consists in "making a copy of the entity on the client and send back both the original version unmodified and the modified version or to write the client in such a way that it does not modify the concurrency token".(Simmons, 2009)
References
Simmons, D. (2009, June ). Anti-Patterns To Avoid In N-Tier Applications. MSDN Magazine. Retrieved from http://msdn.microsoft.com/en-us/magazine/dd882522.aspx#id0420025
Freeman, A (2011). Applied ASP .NET 4 in Context. Apress, New York, USA
