Prebid Server cookie sync race condition

[dbemiller]

Type of issue

Bug

Description

There's a race condition in the prebidServerBidAdapter cookie sync code: https://github.com/prebid/Prebid.js/blob/master/modules/prebidServerBidAdapter/index.js#L119

Prebid Server's /setuid endpoint behaves like so:

1. Unpack the Cookie sent in the request, to get existing user IDs.
2. Update the data inside the Cookie with the new Bidder/UID
3. Respond with a Set-Cookie header with the updated data.

Suppose two syncs get executed, and the second one gets sent before the first one returns. The same Cookie data will be sent to both. Both /setuid calls will respond with Set-Cookie headers, but neither one will contain the other one's data. After both execute, the final cookie will only have the updated ID from the last /setuid response to return.

Steps to reproduce

Since this is a race condition, it's inherently impossible to reproduce reliably. To increase the chances of reproducing it, run an auction with all the Prebid Server bidders. Use a baset64 decoder to decode the PBS cookie, and see whether all the bidders have syncs there.

In practice, there's probably not much value in reproducing it. To fix it, just do your best to avoid running two Prebid Server cookie syncs at the same time.

[mkendall07]

Agree this is a bug. We can address in Q1 unless someone want's to work on it now.