问题
I have a webapp that uses persistent cookies to allow a user to stay logged it.
I am using the Improved Persistent Login Cookie method.
https://www.programering.com/a/MDO0MzMwATA.html
https://www.experts-exchange.com/questions/29006560/selector-validator-cookies.html
When a user is logging in through the LOGIN form and has asked to be remembered I generate a random selector and a random token and add these to a table called Session in my DB along with the userID and other values(IP,time,browser,whaterver). I also set a cookie called KeepMeLoggedIn with the value selector:token and expire in 30 Days.
When the user returns to the site (before or after the PHP Session/Code Igniter has expired) I check for $_SESSION variable, if none found I look for my KeepMeLoggedIn cookie. If the cookie returns a value I check it against my Session table to see if the selector and token match. If they match I reset the token and store it back in the DB and cookie is updated to the new selector:token value and the login process completes.
When a user logs out I destroy the cookie and session and delete the entry in the DB for the selector.
All this is working great except for when a user deleted the cookies manually. The record in my Session table is orphaned. In testing my system I ended up with 50+ records in my Session table that were from the cookies I manually deleted while testing the logic. Since I manually deleted the cookie the selector was not available to the code to be deleted/removed from the Session DB.
So here is my questions:
1) What is a usable approach to handling these orphaned record?
My first thought is just purge the Session table of any date older then my chosen expiration date for the Remember Me function, either when a user logs in, or in a chron job, or whenever
Are there any other ideas here?
2) Is this a vulnerability in the overall model that can allow a hacker to:
create an account on a website
x=1
while x <2
-> login and ask to be remembered
-> delete the cookie
do();
And end up flooding the website's Session Table till the site is shut down, adding 1,000 and 1,000 of record over time??
来源:https://stackoverflow.com/questions/51024015/orphaned-session-management-records-in-database-how-to-handle-the-issue-db-sta