P
P
Pavel2016-12-24 09:49:25
PHP
Pavel, 2016-12-24 09:49:25

PHP sessions. How many are created for one visitor?

Hello! There is a VPS with Ubuntu 12. All the sites (5 pcs.) suddenly lay down. I dug around, the problem is that the place has run out. Actually ran out of inodes. The sessions folder had one and a half million sess_* files. At this point, the sites have been working for 5 months, all of them are young. The total traffic is not more than 300 visitors per day. Hence the question is whether such a number of sessions is normal, or is it malware? And why don't apache or php clean up after themselves?
UPD in php.ini of php itself is session.gc_maxlifetime = 1440
in sites on Opencart in php.ini is session.gc_maxlifetime = 3600
I did not find my php.ini in WP.
UPD 2 sessions are in /var/www/user_name/data/mod-tmp
And I see there files created more than 2 hours ago. This is the time when I cleaned everything and asked a question.
UPD 3 Get to the bottom of it. Garbage collector is disabled in php.ini. there were such values
session.gc_probability = 0
​​​​and
session.gc_divisor = 1000
I set session.gc_probability = 1the sessions began to be deleted.
Thanks to all!

Answer the question

In order to leave comments, you need to log in

2 answer(s)
E
Eugene Volf, 2016-12-24
@Palych_tw

While I was thinking about the cause-and-effect relationships of what was happening and writing the answer, here already without me they wrote a lot and answered some of the questions ... and even something cleared up ...
As you understand, it’s more likely difficult to say, but I see the picture, in this order:
1. You have a website on the VP
2. The VP admin panel or its attributes are available at standard addresses
3. A bot comes in looking for a fresh VP for hacking (in order to send spam), and tries to brute force your admin panel, or something else do something like that
3.1 Perhaps he liked the admin panel not of the VP, but of some other site ... without detailed access logs to guess - like a finger in ... the sky!
4. The bot generates parasitic requests for several hours
5. Each such request creates a new session file
6. By default, the PHP session file is stored for 24 hours
7. There are too many session files
This is probably the most likely option of all that I could come up with without access to the server and almost no information about what is happening inside it ...
Possible useful actions on your part:
a) You can set the lifetime of sessions in PHP
b) Do not keep admin panels in the public domain
c) Select and install some kind of protection mechanism against bots. It's not hard to guess that the user couldn't request 500 pages per minute...

A
Arman, 2016-12-24
@Arik

most likely the sites indicated to store sessions for several years - a common practice in general, you, in turn, can configure which cron and impudently delete files according to the time of modification, in general, users will simply be asked to log in again if they have not been there for more than a month, let's say. Another option is to reassign the session mechanism to store them in a database, memcache or radish, but again these are resources, I would go the first way, I don’t like it, let them redo the session mechanism to their own and get a session for more than a month or two, how much you give them, but not I think they even notice

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question