Repeating message creates huge session object in the database

Created on 29 January 2024, 11 months ago
Updated 6 March 2024, 10 months ago

Problem/Motivation

We had a bad crawler on our site that repeatedly triggered the redirect to the login form. That way the session object grew to thousands of message entries filling up the database in the session table.

This could be used by an attacker as Denial-of-service attack, although it is quite indirect by filling up the MySQL table and disk space. Therefore I think this can be public and not be a private security issue.

Proposed resolution

Do not repeat the message if it is already in the session when call drupal_set_message().

Remaining tasks

Patch review.

πŸ› Bug report
Status

RTBC

Version

1.0

Component

Code

Created by

πŸ‡¦πŸ‡ΉAustria klausi πŸ‡¦πŸ‡Ή Vienna

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024