Periodical queries for nodebb sessions
-
Is this a live forum? What kind of load/page views are there? Any custom plugins? A default nodebb install won't create any sessions for guests but if there are plugins saving data into req.session then that will create sessions for every guest.
Does your admin dashboard show alot of traffic for bots/spiders?
-
@baris Yep we have some custom plugins. Traffic is mostly from registered users (90%).
Now we have below 1 page view / sec.
Creating sessions isn't anything bad I believe. It's just what is reading all of them
I will try to get the stacktrace of connect-redis
-
Ok so most queries comes from line 90:
-
@baris It looks worse - We receive a request every 1 second. It looks like this particular user has a bot that tries to login every 1 sec.
After 1 hour he has 3600 active sessions that are tried to be cleared on login.
Maybe we could add a limit for maximum active sessions
-
@cryptoethic I have banned the particular user and no more sessions are created.
I suggest adding method
revokeSessionsAboveTreshold
that removes oldest sessions above treshold.User.auth.addSession = async function (uid, sessionId) { if (!(parseInt(uid, 10) > 0)) { return; } await cleanExpiredSessions(uid); await revokeSessionsAboveTreshold(meta.config.maxUserSessions); await db.sortedSetAdd('uid:' + uid + ':sessions', Date.now(), sessionId); };
I can add such a function and add PR to core. What do you think?
-
@cryptoethic please open an issue with the details on our github.