Level 75
If you use file driver for session, just remove those files in storage/framework/sessions.
In config/session.php you can find lifetime, default it's set for 2 hours. After 2 hours it's automatically removed.
Jun 22, 2020
9
Level 2
Clear session folder without effecting existing users
Someone has DDOSSed out website resulting in thousands and thousands of files being generated in the storage/sessions folder.
Is there any way to remove these sessions without actually effecting legitimate users? I don't want them all to have to sign back in.
Cheers.
Level 122
I doubt it.
You should expect perhaps 10x session files compared to active users?
They will be naturally expired and removed if they are not actually causing you to be short on disk space.
Level 2
Yeah - I'm using the file driver. What will the side effects be if I removed the session files? Will everyone be logged out?
I might just have to wait it out if so. There are over 200,000 session files in there and its causing havock to Apache's CPU usage.
Level 122
After 2 hours the session file is no longer valid, but then it stays there until the garbage cleanup runs which is random and will be dependent on your traffic.
You could temporarily change the odds so that it is more agressive in clearing stale session files
config/session.php
'lottery' => [2, 100],
Don't forget to reload config cache if you make any changes
Level 122
Yes, if you delete the files then sessions will be lost. If the users have 'remember me' they will be silently logged back in, unless they were in the middle of filling a form, in which case when they press submit they would get a csrf error
Level 2
We have the "remember me" enabled by default so I suppose it's a good thing then. However, the session lifetime is set to only 2 hours so I think I will wait to see if it helps before purging them.
I notice that there is the option "expire_on_close". If I enable that, will this help avoid this from happening in the future? What are the downsides of using this?
Level 122
AFAIK It only tells the browser that it should expire the session cookie when the user closes their browser. It does nothing at the server side. Its just a flag that gets set on the session cookie.
Level 2
Ah right - makes sense. Thank you!
Do you have any recommendations on how I can avoid this problem in the future? Whenever I get a DDOS attack, apache's CPU usage goes sky high (I'm only just realising that this is probably caused by the garbage collection checking every single session file).
I'm assuming memcached would be a better solution?
Level 122
try switching to database session management?
Please or to participate in this conversation.