Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Huge number of Django sessions #2235

Open
bemoody opened this issue May 17, 2024 · 1 comment
Open

Huge number of Django sessions #2235

bemoody opened this issue May 17, 2024 · 1 comment

Comments

@bemoody
Copy link
Collaborator

bemoody commented May 17, 2024

Something seems to have created a massive number of Django sessions. The total number of sessions is currently around 4.5 million.

(At first I thought, are expired sessions not getting deleted for some reason? But no...)

It looks like there are a huge number of sessions containing exactly the same session_data and expiring on 05-22.

I am guessing that this is caused by check_http_auth and perhaps a buggy client.
@bemoody
Copy link
Collaborator Author

bemoody commented May 17, 2024

We could try to fix this in check_http_auth, but for real scalability and DOS resistance we should probably be using cookie-backed sessions instead.

https://docs.djangoproject.com/en/5.0/topics/http/sessions/#using-cookie-based-sessions

I mean, somebody who really wants to wreck the site can always script something to perform millions of logins through /login/.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bemoody