Periodical queries for nodebb sessions

<baris>

Are they always to the same session id or different session ids? Are there any repeating requests in your network tab? You can always put a console.log in the get method in connet-mongo to see where it is being called from. nodebb\node_modules\connect-mongo\src\index.js@223 just add console.log('session.get', new Error('-').stack); Also check network tab to see if socket.io is using websockets or falling back to xhr-polling.

cryptoethic

@baris
Thanks for fast answer.

Queries are not for one specific session but simultaneously for every session id (not sure if every but surely for many different ids and it looks like for every)

After switching to redis I also can see in redis-cli monitor:

It occurs every ~3 seconds now

Forum works fast now, but I'm worried that after some sessions will be created I will face the same issue.

<baris>

Is this a live forum? What kind of load/page views are there? Any custom plugins? A default nodebb install won't create any sessions for guests but if there are plugins saving data into req.session then that will create sessions for every guest.

Does your admin dashboard show alot of traffic for bots/spiders?

cryptoethic

@baris Yep we have some custom plugins. Traffic is mostly from registered users (90%).

Now we have below 1 page view / sec.

Creating sessions isn't anything bad I believe. It's just what is reading all of them

I will try to get the stacktrace of connect-redis

cryptoethic

@cryptoethic

Ok so most queries comes from line 90:

<baris>

Hmm there are a few places that function is called, once is from authenticationController.onSuccessfulLogin maybe that is getting triggered a lot?

cryptoethic

@baris

Doing some more console logs:

Every second cleanExpiredSessions for user (uid: 17445495) is called:

uuid mappings = Object.keys(uuidMapping).length

<baris>

src/controllers/authentication.js:326 is the onSuccesfullLogin function I mentioned, could be a bug in the login system that is repeatedly calling this function. Are you using a sso/third party login system?

cryptoethic

@baris Yep. Custom local-login passport strategy.

<baris>

Yeah I would inspect the source for that and make sure it is not calling the login function unnecessarily.

cryptoethic

@baris It looks worse - We receive a request every 1 second. It looks like this particular user has a bot that tries to login every 1 sec.

After 1 hour he has 3600 active sessions that are tried to be cleared on login.

Maybe we could add a limit for maximum active sessions

cryptoethic

@cryptoethic I have banned the particular user and no more sessions are created.

I suggest adding method revokeSessionsAboveTreshold that removes oldest sessions above treshold.

	User.auth.addSession = async function (uid, sessionId) {
		if (!(parseInt(uid, 10) > 0)) {
			return;
		}
		await cleanExpiredSessions(uid);
                await revokeSessionsAboveTreshold(meta.config.maxUserSessions);
		await db.sortedSetAdd('uid:' + uid + ':sessions', Date.now(), sessionId);
	};

I can add such a function and add PR to core. What do you think?

<baris>

@cryptoethic please open an issue with the details on our github.