duancao1951 2019-02-16 15:45
浏览 128
已采纳

防止PHP / Redis会话D / DoS攻击

I have implemented my own SessionHandlerInterface that reads/writes user sessions and persistent sessions to a Redis server. The user session cookie is set to expire the moment the browser is closed and so the associated Redis session needs to be cleaned up. I can clean this up by setting an expiration of 30 minutes for example, which will result in the user receiving a new session very 30 minutes without disruption due to the presence of the persistent session. At the time a user logs in, I automatically issue a persistent cookie that keeps them logged in for a few months.

How do I prevent a D/DoS attack where a user programatically gets a user session cookie and/or persistent cookie, deletes it, and continues to request and delete the cookie indefinitely? Essentially creating an infinite number of orphaned user or persistent sessions in Redis that will eventually be cleaned up. Even if I reduce the session cookie life to 1 minute to reduce the risk somewhat, it still leaves a persistent cookie issue where they don't set to expire for months. This could easily crash my session manager and prevent all users from loggin in.

I'm aware that firewalls have built in solutions for this, however I'm wondering how this attack can be mitigated at the application level.

This issue has been raised before: Orphaned Session Management Records in Database. How to handle the issue? DB Stability Risk

  • 写回答

1条回答 默认 最新

  • doujuanju3076 2019-02-17 14:45
    关注

    I believe I have a solution identified outside of leveraging a firewall.

    In Redis for both the user session and persistent session I'll leverage a hash and store the userid along with any relevant info. At the time that a new user or persistent session must be created, a look up in Redis will occur for any user and/or persistent session that exists (depending on whether a user session is being requested or persistent session) and if one exists that has yet to expire, either overwrite it or delete it and create a new one.

    This should garuantee that at no time more than one user session or persistent session can exist for a user and should nullify any DoS session attack.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 关于c++外部库文件宏的问题,求解
  • ¥15 office打开卡退(新电脑重装office系统后)
  • ¥300 FLUENT 火箭发动机燃烧EDC仿真
  • ¥15 【Hadoop 问题】Hadoop编译所遇问题hadoop-common: make failed with error code 2
  • ¥15 vb6.0+webbrowser无法加载某个网页求解
  • ¥15 RPA财务机器人采购付款流程
  • ¥15 计算机图形多边形及三次样条曲线绘制
  • ¥15 根据protues画的图用keil写程序
  • ¥200 如何使用postGis实现最短领规划?
  • ¥15 pyinstaller打包错误