Periodical queries for nodebb sessions
-
Are they always to the same session id or different session ids? Are there any repeating requests in your network tab? You can always put a console.log in the
get
method in connet-mongo to see where it is being called from.nodebb\node_modules\connect-mongo\src\index.js@223
just addconsole.log('session.get', new Error('-').stack);
Also check network tab to see if socket.io is using websockets or falling back to xhr-polling. -
@baris
Thanks for fast answer.Queries are not for one specific session but simultaneously for every session id (not sure if every but surely for many different ids and it looks like for every)
After switching to redis I also can see in redis-cli monitor:
It occurs every ~3 seconds now
Forum works fast now, but I'm worried that after some sessions will be created I will face the same issue.
-
Is this a live forum? What kind of load/page views are there? Any custom plugins? A default nodebb install won't create any sessions for guests but if there are plugins saving data into req.session then that will create sessions for every guest.
Does your admin dashboard show alot of traffic for bots/spiders?
-
@baris Yep we have some custom plugins. Traffic is mostly from registered users (90%).
Now we have below 1 page view / sec.
Creating sessions isn't anything bad I believe. It's just what is reading all of them
I will try to get the stacktrace of connect-redis
-
Ok so most queries comes from line 90:
-
@baris It looks worse - We receive a request every 1 second. It looks like this particular user has a bot that tries to login every 1 sec.
After 1 hour he has 3600 active sessions that are tried to be cleared on login.
Maybe we could add a limit for maximum active sessions
-
@cryptoethic I have banned the particular user and no more sessions are created.
I suggest adding method
revokeSessionsAboveTreshold
that removes oldest sessions above treshold.User.auth.addSession = async function (uid, sessionId) { if (!(parseInt(uid, 10) > 0)) { return; } await cleanExpiredSessions(uid); await revokeSessionsAboveTreshold(meta.config.maxUserSessions); await db.sortedSetAdd('uid:' + uid + ':sessions', Date.now(), sessionId); };
I can add such a function and add PR to core. What do you think?
-
@cryptoethic please open an issue with the details on our github.