search

MIT-LCP / physionet-build

The new PhysioNet platform.
https://physionet.org/
BSD 3-Clause "New" or "Revised" License
56 stars 20 forks source link

Huge number of Django sessions #2235

Open bemoody opened 6 months ago

bemoody commented 6 months ago

Something seems to have created a massive number of Django sessions. The total number of sessions is currently around 4.5 million.

(At first I thought, are expired sessions not getting deleted for some reason? But no...)

It looks like there are a huge number of sessions containing exactly the same session_data and expiring on 05-22.

I am guessing that this is caused by check_http_auth and perhaps a buggy client.

bemoody commented 6 months ago

We could try to fix this in check_http_auth, but for real scalability and DOS resistance we should probably be using cookie-backed sessions instead.

https://docs.djangoproject.com/en/5.0/topics/http/sessions/#using-cookie-based-sessions

I mean, somebody who really wants to wreck the site can always script something to perform millions of logins through /login/.