What happened?

Description

Looking into a bug for a Servd client. When using Live Preview they were seeing generic control panel errors displayed, and 403 errors for ajax requests in the console. The exception shown in Craft's logs is:

[error][yii\web\HttpException:403] yii\web\ForbiddenHttpException: User is not authorized to perform this action in /var/www/html/vendor/craftcms/cms/src/web/Controller.php:308
Stack trace:
#0 /var/www/html/vendor/craftcms/cms/src/controllers/PreviewController.php(68): craft\web\Controller->requireAuthorization('previewElement:...')
#1 [internal function]: craft\controllers\PreviewController->actionCreateToken()

This happened sporadically and only when multiple entry detail pages had been opened in different tabs.

I believe I have tracked this down to a race condition caused when multiple entry detail pages are opened in a short period of time.

Steps to reproduce

1. Open up the Craft Control Panel
2. Open several entries by right clicking them and 'opening in new tab' in quick succession
3. Within each new Entry Detail tab, click Preview. Some will fail if the race condition has been hit

Expected behavior

Previews work

Actual behavior

403 responses when creating preview tokens

What I think is happening

A race condition here:

When multiple entry detail pages are opened simultaneously there's a race condition between the ->get() and ->set() calls, resulting in an inconsistent state written to the session.

More pronounced when using Redis for sessions as the read and write times are longer.

Might need wrapping in a mutex. Or for everyone to just calm down and stop furiously opening tabs.

Craft CMS version

3/4/5

PHP version

8.0-8.4

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions