flooding + sessions

Jerry Kapron jkapron at
Sun Feb 2 09:55:15 EST 2003

I've just realized that in case someone decides to flood my web server with
HTTP requests, the session.save_path directory on the server will get filled
with thousands or even millions of session files in no time. Each
session_start() will create a new unique file on the disk or an entry in a
session handling database table.  This can drastically slow down the server
even after the flood stops.  I deliberately flooded my development server
and noticed the number of session files kept increasing for the next several
minutes after I stop the flood.  I imagine it would cause a variety of other
problems as well.

While setting a high value (100) for session.gc_probability and reducing the
value for session.gc_maxlifetime to 300 (5 minutes) will limit the number of
files to as many as a flood attack can generate in 5 minutes, it will cause
the server to perform the 'garbage collection' routine upon every request,
which itself can be damaging to the server's performance. Besides
simultaneous flood attacks from multiple sources can easily amount to
hundreds of thousands of hits thus session files in just 5 minutes.

Can anyone think of a solution?  A code level solution would be nice but I
can't think of anything.
I believe this calls for a small change to the way PHP handles sessions.
While a session id and a cookie are generated upon establishing a new
session (session_start()), a session handling file should not be created
until a session variable is initialized ( $_SESSION =  or
session_register()).  With that in place, writing flood-proof code wouldn't
be hard at all.


42.7% of all statistics are made up on the spot.

More information about the talk mailing list