2019-02-16 15:45

防止PHP / Redis会话D / DoS攻击


I have implemented my own SessionHandlerInterface that reads/writes user sessions and persistent sessions to a Redis server. The user session cookie is set to expire the moment the browser is closed and so the associated Redis session needs to be cleaned up. I can clean this up by setting an expiration of 30 minutes for example, which will result in the user receiving a new session very 30 minutes without disruption due to the presence of the persistent session. At the time a user logs in, I automatically issue a persistent cookie that keeps them logged in for a few months.

How do I prevent a D/DoS attack where a user programatically gets a user session cookie and/or persistent cookie, deletes it, and continues to request and delete the cookie indefinitely? Essentially creating an infinite number of orphaned user or persistent sessions in Redis that will eventually be cleaned up. Even if I reduce the session cookie life to 1 minute to reduce the risk somewhat, it still leaves a persistent cookie issue where they don't set to expire for months. This could easily crash my session manager and prevent all users from loggin in.

I'm aware that firewalls have built in solutions for this, however I'm wondering how this attack can be mitigated at the application level.

This issue has been raised before: Orphaned Session Management Records in Database. How to handle the issue? DB Stability Risk

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • doujuanju3076 doujuanju3076 2年前

    I believe I have a solution identified outside of leveraging a firewall.

    In Redis for both the user session and persistent session I'll leverage a hash and store the userid along with any relevant info. At the time that a new user or persistent session must be created, a look up in Redis will occur for any user and/or persistent session that exists (depending on whether a user session is being requested or persistent session) and if one exists that has yet to expire, either overwrite it or delete it and create a new one.

    This should garuantee that at no time more than one user session or persistent session can exist for a user and should nullify any DoS session attack.

    点赞 评论 复制链接分享