I have a nodejs web application which uses the express framework, and it is reachable via internet. I am using a session store which stores the sessions as plain files on disk, and with the current implementation, each request without cookie will get a new session-id, resulting in a new file on disk for the new session.
Since the application is reachable via internet, I receive a lot of invalid requests, which of course never send cookies, but produce more sessions on my filesystem, which is a real mess.
I used the OWASP session management cheat sheet as a guideline for the implementation (https://www.owasp.org/index.php/Session_Management_Cheat_Sheet), but it does not cover the topic of guest sessions in detail. It only states that applications might find it useful to assign sessions also to unauthenticated (guest) users, so guest-sessions seem to be a valid feature in general.
So right now I dont know how to properly fight the problem of unnecessarily created sessions/session files by invalid/malicious requests. Is there any recommended way to do this?
I thought of maybe a combination of a very short expiration of 'guest'-sessions (< 5min) and a whitelist for IP ranges or something, where any IP not in the whitelist will not receive a guest-session (but of course a session once successfully authenticated).
Any tips on how I should approach this problem?
via user826955
No comments:
Post a Comment