I encountered a race condition using the 2-steps login process provided by vtiger's webservices. Say that you have a multi-process / multi-threaded application using vtiger's webservices. Each thread/process has to call getchallenge+login before proceeding in doing what they have to do (that's what doLogin() in vtwsclib does).

The problem lies in the getchallenge phase. include/Webservices/AuthToken.php does

delete from vtiger_ws_userauthtoken where userid=?

for the current user. This instruction can be executed in between the 2 getchallenge+login steps of another webservice thread/process, therefore destroying its chance of doing a correct login.

Maybe the solution would be for the getchallenge step to detect if there is already an existing (not expired) outstanding getchallenge request for the current user and return that.

trac #6500

Index: trunk/include/Webservices/AuthToken.php
--- trunk/include/Webservices/AuthToken.php	(revision 7)
+++ trunk/include/Webservices/AuthToken.php	(working copy)
@@ -19,6 +19,14 @@
 		$servertime = time();
 		$expireTime = time()+(60*5);
+		$sql = "select userid,token,expiretime, count(*) as count from vtiger_ws_userauthtoken group by userid=?";
+		$res = $adb->pquery($sql,array($userid,$servertime));
+		$result = $adb->fetchByAssoc($res);
+		if ($result['count']>=1) {
+			return array("token"=>$result["token"],"serverTime"=>$servertime,"expireTime"=>$result["expiretime"]);
+		}
 		$sql = "delete from vtiger_ws_userauthtoken where userid=?";

Admin Manual
Developer Manual