Open inureyes opened 10 years ago
Currently, session timeout does not work for spammers: session update timer (for garbage collection) is refreshed when the same user (IP/session) tries to reconnect.
Session time extension is intended behavior. However we also keep the spammers' sessions. Any idea?
Currently, comment addition route automatically create anonymous session if no session is found. However, comment by human interaction should have pre-assigned session. Also, too many anonymous sessions could make session handler congestion. We need solutions for that.