Three requests. Same session ID. Same product SKU: DRN-7X .
Leo leaned back in his creaking office chair, the glow of three monitors painting his tired face in pale blue light. He was the senior backend engineer for Velvet & Sole , a boutique online shoe retailer that had, against all odds, become a cult hit. Their signature "Dragonhide 7X" boot sold out in eleven minutes every restock.
He pulled up the session data. User ID: gh0st_walk3r . Cart contents: 1x DRN-7X (size 11). Then the log showed the pattern: add, add, add. The PHP script was supposed to increment quantity. But this user was triggering a race condition—three identical requests arriving before the first one finished writing to the database.
Leo clicked through to the checkout table. The order hadn't been placed yet. But the cart's total? $1,197.00. The user had effectively bypassed the "max 1 per customer" rule without triggering a single alarm. Not a hack. Not an SQL injection. Just the ugly poetry of concurrency. add-cart.php num
Tonight, he'd let the ghost walker win. The next morning, a new commit appeared on the main branch: fix: add unique constraint and row-level locking to add-cart.php (thanks gh0st_walk3r for the pentest)
He checked gh0st_walker 's IP address. Traced it back to a residential block in Akron, Ohio. Not a botnet. Not a competitor. Someone sitting in a basement, probably using a simple bash script:
Instead, he clicked over to the user's profile. gh0st_walker had been a member for four years. Bought three pairs of boots, left glowing reviews each time. Their last order was a size 11—the same size in the ghost cart. Three requests
Leo smiled. He opened a new terminal and manually reduced the three rows to one. Then he added a note to the user's account: "Loyal customer. Approved for second pair on next restock. Also, nice race condition."
The server logs didn't blink. They never did. But for Leo, the silent, green-on-black text of /var/log/nginx/access.log might as well have been a screaming headline.
But he didn't type a single line.
He closed the file. He'd fix add-cart.php tomorrow.
But for the last three nights, someone had been bending the rules.