Periodical queries for nodebb sessions


  • Hi!

    I'm facing a strange issue. My NodeBB server uses mongodb to store sessions. Every ~5 seconds there is a query for session. I checked, that method called is .get() from session storage (connect-mongo). It looks like this method is called for each session id.

    During this peak there is a lag on a forum.

    4e37230a-a0f8-410a-986e-ee1a9235f268-image.png

    Is there any native express-session behavior that might cause so many requests?

    I have checked that in NodeBB core there is only validateSession method that checks session, but I'm not receiving that many socket events.

    Many thanks for your help 😉
    In the meantime I will remove all active sessions and try to store sessions in redis.

    Best,
    cryptoethic

  • Admin NodeBB

    Are they always to the same session id or different session ids? Are there any repeating requests in your network tab? You can always put a console.log in the get method in connet-mongo to see where it is being called from. nodebb\node_modules\connect-mongo\src\index.js@223 just add console.log('session.get', new Error('-').stack); Also check network tab to see if socket.io is using websockets or falling back to xhr-polling.


  • @baris
    Thanks for fast answer.

    Queries are not for one specific session but simultaneously for every session id (not sure if every but surely for many different ids and it looks like for every)

    After switching to redis I also can see in redis-cli monitor:
    fa9c1952-cc30-4cef-b0fb-bf4f2371f4d4-image.png

    It occurs every ~3 seconds now

    Forum works fast now, but I'm worried that after some sessions will be created I will face the same issue.

  • Admin NodeBB

    Is this a live forum? What kind of load/page views are there? Any custom plugins? A default nodebb install won't create any sessions for guests but if there are plugins saving data into req.session then that will create sessions for every guest.

    Does your admin dashboard show alot of traffic for bots/spiders?


  • @baris Yep we have some custom plugins. Traffic is mostly from registered users (90%).

    Now we have below 1 page view / sec.

    Creating sessions isn't anything bad I believe. It's just what is reading all of them 🙂

    I will try to get the stacktrace of connect-redis


  • @cryptoethic

    Ok so most queries comes from line 90:

    37fed584-1ae5-4971-a41d-77d4a8155378-image.png

  • Admin NodeBB

    Hmm there are a few places that function is called, once is from authenticationController.onSuccessfulLogin maybe that is getting triggered a lot?


  • @baris

    Doing some more console logs:

    Every second cleanExpiredSessions for user (uid: 17445495) is called:
    02359b87-51af-41ae-90c5-6eef66bb5fca-image.png

    uuid mappings = Object.keys(uuidMapping).length

  • Admin NodeBB

    src/controllers/authentication.js:326 is the onSuccesfullLogin function I mentioned, could be a bug in the login system that is repeatedly calling this function. Are you using a sso/third party login system?


  • @baris Yep. Custom local-login passport strategy.

  • Admin NodeBB

    Yeah I would inspect the source for that and make sure it is not calling the login function unnecessarily.


  • @baris It looks worse - We receive a request every 1 second. It looks like this particular user has a bot that tries to login every 1 sec.

    After 1 hour he has 3600 active sessions that are tried to be cleared on login.

    Maybe we could add a limit for maximum active sessions


  • @cryptoethic I have banned the particular user and no more sessions are created.

    I suggest adding method revokeSessionsAboveTreshold that removes oldest sessions above treshold.

    	User.auth.addSession = async function (uid, sessionId) {
    		if (!(parseInt(uid, 10) > 0)) {
    			return;
    		}
    		await cleanExpiredSessions(uid);
                    await revokeSessionsAboveTreshold(meta.config.maxUserSessions);
    		await db.sortedSetAdd('uid:' + uid + ':sessions', Date.now(), sessionId);
    	};
    

    I can add such a function and add PR to core. What do you think?

  • Admin NodeBB

    @cryptoethic please open an issue with the details on our github.

Suggested Topics

| |