duancao1951 2019-02-16 15:45
浏览 128
已采纳

防止PHP / Redis会话D / DoS攻击

I have implemented my own SessionHandlerInterface that reads/writes user sessions and persistent sessions to a Redis server. The user session cookie is set to expire the moment the browser is closed and so the associated Redis session needs to be cleaned up. I can clean this up by setting an expiration of 30 minutes for example, which will result in the user receiving a new session very 30 minutes without disruption due to the presence of the persistent session. At the time a user logs in, I automatically issue a persistent cookie that keeps them logged in for a few months.

How do I prevent a D/DoS attack where a user programatically gets a user session cookie and/or persistent cookie, deletes it, and continues to request and delete the cookie indefinitely? Essentially creating an infinite number of orphaned user or persistent sessions in Redis that will eventually be cleaned up. Even if I reduce the session cookie life to 1 minute to reduce the risk somewhat, it still leaves a persistent cookie issue where they don't set to expire for months. This could easily crash my session manager and prevent all users from loggin in.

I'm aware that firewalls have built in solutions for this, however I'm wondering how this attack can be mitigated at the application level.

This issue has been raised before: Orphaned Session Management Records in Database. How to handle the issue? DB Stability Risk

  • 写回答

1条回答 默认 最新

  • doujuanju3076 2019-02-17 14:45
    关注

    I believe I have a solution identified outside of leveraging a firewall.

    In Redis for both the user session and persistent session I'll leverage a hash and store the userid along with any relevant info. At the time that a new user or persistent session must be created, a look up in Redis will occur for any user and/or persistent session that exists (depending on whether a user session is being requested or persistent session) and if one exists that has yet to expire, either overwrite it or delete it and create a new one.

    This should garuantee that at no time more than one user session or persistent session can exist for a user and should nullify any DoS session attack.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 我想通过python处理sybase IQ库的一些数据,但是不知道sybase IQ库怎么连接,之前连接都是用linux上的 dbisql
  • ¥15 安装llama-cpp-python==0.1.83失败
  • ¥20 管道轴向耦合水击问题
  • ¥60 补全networkx TODO部分。
  • ¥15 有内推吗,云计算linux运维方向
  • ¥30 sort cuteSV.vcf by bcftools用IGV可视化出现报错
  • ¥100 SOS!对STK中导出的天体图像进行质心提取有没有人做过啊
  • ¥15 python 欧式距离
  • ¥15 遗传算法解决有工序顺序约束的大规模FJSP问题
  • ¥15 企业消防水炮塔设计方案