How not to create|immediately delete sessions in asp.net for one-time connections from bots?

R

Ruslan2021-06-08 14:56:27

ASP.NET

Ruslan, 2021-06-08 14:56:27

Hello.
In Asp.net, by default, a session is created | used for each connection, the session is not created if it already exists, and the request is matched with an existing session by cookies (there is another option with an identifier in the url, but we will discard it for now).
So, a problem arises: if some robot scans the site and uses a clean set of cookies for each request, then a session is created for each request, and by default it is stored in RAM for 20 minutes. Thus, if the robot fires requests with terrible force, then you yourself understand what will happen to the RAM on the server.

Question: how can you protect yourself from this scourge?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Vitaly Kachan, 2021-06-09
@MANAB

This is similar to protecting against DDOS attacks, googled, there are existing (paid) solutions, but I would not bother, because. it is very difficult to solve this problem by hand and it is worth calculating how much money the business will lose over the estimated time of DDOS and how much ready-made solutions / your crutch cost.