Session creation soft-lock

[AriDeve]

Describe the Bug

I have encountered an issue where, due to incorrect existence checks, a session will never be able to "send" data. Consistent attempts to create a new session when it already exists cause the send endpoint to time out instead of failing gracefully.
This happens due to multiple compounding issues:

1. When a request to send is processed, it creates a session (or tries to create one) before any action is taken with the event. It's not exactly a problem, but can currently cause an issue due to an issue mentioned later
2. If a sessions first action is to send session data, aka type: 'identify' event, it gets placed into the session_data table
3. When the next event comes in, no matter the type, an attempt to check if the session already exists is made before creating it. This check uses getWebsiteSession to get an existing session. getWebsiteSession doesn't return an existing session if there isn't an entry by the session in the website_event table, meaning that due to the second point, it tries to create a new session even if it exists
4. createSession fails due to a unique constraint error from the database, but the error is explicitly ignored, and visitId is still returned in the object. !session?.id catches that the session ID is missing, but fails to properly close the request, simply returning from send, meaning that whatever called the endpoint would timeout silently without explanation

This issue essentially soft-locks a specific session, because it cannot recover after the initial creation. A similar issue can occur as called out in the first point, if the creation of any type of event fails for unforeseen issues, as getWebsiteSession requires an entry in both session and website_event.

Potential fixes/solutions:

1. Add a separate query for checking if a session already exists that doesn't depend on other tables. This would make point one irrelevant, as well as solve the issue at hand
2. Don't ignore the unique constraint error, as that causes the function to return some data. However, the visitId could be used elsewhere, I haven't checked too far. Or add a proper error response for the instance, where the session doesn't contain an id, so it doesn't cause timeouts. I remember seeing someone already mention this one on Discord

Log output is from @aperion_93218 on discord, I didn't have the log on hand, but it is the same. Otherwise this issue doesn't log any errors.

Database

PostgreSQL

Relevant log output

2025-01-06 14:25:19.730 UTC [11765] ERROR:  duplicate key value violates unique constraint "session_pkey"
2025-01-06 14:25:19.730 UTC [11765] DETAIL:  Key (session_id)=(43549496-274a-571b-b209-90206c5bde86) already exists.
2025-01-06 14:25:19.730 UTC [11765] STATEMENT:  INSERT INTO "public"."session" ("session_id","website_id","hostname","browser","os","device","screen","language","country","subdivision1","subdivision2","city","created_at") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13) RETURNING "public"."session"."session_id", "public"."session"."website_id", "public"."session"."hostname", "public"."session"."browser", "public"."session"."os", "public"."session"."device", "public"."session"."screen", "public"."session"."language", "public"."session"."country", "public"."session"."subdivision1", "public"."session"."subdivision2", "public"."session"."city", "public"."session"."created_at"

Which Umami version are you using? (if relevant)

No response

Which browser are you using? (if relevant)

No response

How are you deploying your application? (if relevant)

No response

[szwabodev]

hello, any idea when the fix will be released?

[6mdx]

Hello, Any update?

[mikecao]

Fixed in v2.16.0.