I have implemented my own SessionHandlerInterface that reads/writes user sessions and persistent sessions to a Redis server. The user session cookie is set to expire the moment the browser is closed and so the associated Redis session needs to be cleaned up. I can clean this up by setting an expiration of 30 minutes for example, which will result in the user receiving a new session very 30 minutes without disruption due to the presence of the persistent session. At the time a user logs in, I automatically issue a persistent cookie that keeps them logged in for a few months.
How do I prevent a D/DoS attack where a user programatically gets a user session cookie and/or persistent cookie, deletes it, and continues to request and delete the cookie indefinitely? Essentially creating an infinite number of orphaned user or persistent sessions in Redis that will eventually be cleaned up. Even if I reduce the session cookie life to 1 minute to reduce the risk somewhat, it still leaves a persistent cookie issue where they don't set to expire for months. This could easily crash my session manager and prevent all users from loggin in.
I'm aware that firewalls have built in solutions for this, however I'm wondering how this attack can be mitigated at the application level.
This issue has been raised before: Orphaned Session Management Records in Database. How to handle the issue? DB Stability Risk
