Periodical queries for nodebb sessions
-
Is this a live forum? What kind of load/page views are there? Any custom plugins? A default nodebb install won't create any sessions for guests but if there are plugins saving data into req.session then that will create sessions for every guest.
Does your admin dashboard show alot of traffic for bots/spiders?
-
replied to cryptoethic on last edited by
-
src/controllers/authentication.js:326is theonSuccesfullLoginfunction I mentioned, could be a bug in the login system that is repeatedly calling this function. Are you using a sso/third party login system? -
replied to <baris> on last edited by
@baris It looks worse - We receive a request every 1 second. It looks like this particular user has a bot that tries to login every 1 sec.
After 1 hour he has 3600 active sessions that are tried to be cleared on login.
Maybe we could add a limit for maximum active sessions
-
replied to cryptoethic on last edited by
@cryptoethic I have banned the particular user and no more sessions are created.
I suggest adding method
revokeSessionsAboveTresholdthat removes oldest sessions above treshold.User.auth.addSession = async function (uid, sessionId) { if (!(parseInt(uid, 10) > 0)) { return; } await cleanExpiredSessions(uid); await revokeSessionsAboveTreshold(meta.config.maxUserSessions); await db.sortedSetAdd('uid:' + uid + ':sessions', Date.now(), sessionId); };I can add such a function and add PR to core. What do you think?
-
@cryptoethic please open an issue with the details on our github.
