duancao1951 2019-02-16 15:45
浏览 128
已采纳

防止PHP / Redis会话D / DoS攻击

I have implemented my own SessionHandlerInterface that reads/writes user sessions and persistent sessions to a Redis server. The user session cookie is set to expire the moment the browser is closed and so the associated Redis session needs to be cleaned up. I can clean this up by setting an expiration of 30 minutes for example, which will result in the user receiving a new session very 30 minutes without disruption due to the presence of the persistent session. At the time a user logs in, I automatically issue a persistent cookie that keeps them logged in for a few months.

How do I prevent a D/DoS attack where a user programatically gets a user session cookie and/or persistent cookie, deletes it, and continues to request and delete the cookie indefinitely? Essentially creating an infinite number of orphaned user or persistent sessions in Redis that will eventually be cleaned up. Even if I reduce the session cookie life to 1 minute to reduce the risk somewhat, it still leaves a persistent cookie issue where they don't set to expire for months. This could easily crash my session manager and prevent all users from loggin in.

I'm aware that firewalls have built in solutions for this, however I'm wondering how this attack can be mitigated at the application level.

This issue has been raised before: Orphaned Session Management Records in Database. How to handle the issue? DB Stability Risk

  • 写回答

1条回答 默认 最新

  • doujuanju3076 2019-02-17 14:45
    关注

    I believe I have a solution identified outside of leveraging a firewall.

    In Redis for both the user session and persistent session I'll leverage a hash and store the userid along with any relevant info. At the time that a new user or persistent session must be created, a look up in Redis will occur for any user and/or persistent session that exists (depending on whether a user session is being requested or persistent session) and if one exists that has yet to expire, either overwrite it or delete it and create a new one.

    This should garuantee that at no time more than one user session or persistent session can exist for a user and should nullify any DoS session attack.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 已知隐函数其中一个变量τ的具体值,求另一个变量
  • ¥15 r语言Hurst指数
  • ¥15 Acrn IVSHMEM doorbell问题
  • ¥15 yolov5中的val测试集训练时数量变小问题
  • ¥15 MPLS/VPN实验中MPLS的配置问题
  • ¥15 materialstudio氢键计算问题
  • ¥15 echarts图表制作
  • ¥15 halcon根据玻璃面板纹路取区域
  • ¥15 HFSS设计小型化180度耦合器
  • ¥15 使用CInternetSession,CHttpFile读取网页文件时有些电脑上会卡住怎么办?