FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » INSERTions into ses table for unknown users (Fantom sessions?)
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: INSERTions into ses table for unknown users [message #168063 is a reply to message #168062] Wed, 09 January 2013 01:33 Go to previous messageGo to previous message
San ??????? is currently offline  San ???????
Messages: 4
Registered: January 2013
Karma:
Junior Member

It seems like I found a cause of the problem. There is session checking in index.php on every request and if client has no session cookie it created (for anonymous users too, in ses_anon_make()). The last could be used for DoS attack if client ignores forum cookie - that is why I'm having a lot of new lines in ses table for non-existing accounts. The code (from ses_anon_make()) gives me no chance in this case:

do {
    $uid = 2000000000 + mt_rand(1, 147483647);
    $ses_id = md5($uid . __request_timestamp__ . getmypid());
} while (!($id = db_li("INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('".$ses_id."', ".__request_timestamp__.", '".ses_make_sysid(). "', ".$uid.')', $ef, 1)));


Cyclic INSERTions to DB to get ID just brilliant. Smile For crackers, of course... For example, my forum has about 6000 registered accounts and only few of them are really active, but my sesssion table file (MyISAM) takes about 2 GBytes on disk now and grows quickly.
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: CKEditor conflicts with default formatting tools
Next Topic: Censorship bug
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 00:10:06 GMT 2024

Total time taken to generate the page: 0.04750 seconds