Skip to content

[2.1] Bots - view likes attacks#9127

Merged
Sesquipedalian merged 1 commit intoSimpleMachines:release-2.1from
sbulen:21_bot_user_likes
Mar 12, 2026
Merged

[2.1] Bots - view likes attacks#9127
Sesquipedalian merged 1 commit intoSimpleMachines:release-2.1from
sbulen:21_bot_user_likes

Conversation

@sbulen
Copy link
Contributor

@sbulen sbulen commented Feb 25, 2026
edited
Loading

This PR removes the link allowing users to drill down to see who liked a post. Only guests & bots are affected.

This link is a bot magnet during botnet attacks. During some attacks, these are the ONLY requests made - in the tens of thousands. Note that the request includes the session var & value in the URL. (I believe this is the only guest link that does so...???) When bots pass this bogus session info, the existing session is destroyed and a new one is created, ultimately causing TWO session writes for each bot request. I.e., double the impact.

I believe this should be removed from guests/bots altogether. If that user wants to drill down, they can register.

Fixes #9112

I've been running this code on my prod forum with no issues.

If this is approved, I can submit a 3.0 version.

For more discussion see:
https://www.simplemachines.org/community/index.php?topic=592442.0
https://www.simplemachines.org/community/index.php?topic=590069.0

Feedback welcome.

@sbulen
Don't let guests drill down on likes
7ff7b2c 
Signed-off-by: Shawn Bulen <bulens@pacbell.net>
@jsqx
Copy link

jsqx commented Feb 26, 2026

Will this fix be included in SMF 2.1.7?

@sbulen
Copy link
Contributor Author

sbulen commented Mar 2, 2026

Will this fix be included in SMF 2.1.7?

Probably not. First, I imagine there needs to be some internal discussion among the team. There was a lot of debate in the past about what guests & likes & views. IMO, the fact that it has become a bot magnet changes the discussion though, hence this PR.

Also, the next release has been in process for a while. Scope has crept & a good case could be made to stop scope creep.

Also, it's possible the team comes back with "OK, but make it an option", due to concern about removing a feature.

It's not even approved yet.

@jdarwood007 jdarwood007 added this to the 2.1.8 milestone Mar 8, 2026
@jdarwood007
Copy link
Member

jdarwood007 commented Mar 8, 2026

@sbulen Do you have the related updates for 3.0 on this PR?

@sbulen
Copy link
Contributor Author

sbulen commented Mar 8, 2026

I was going to add 3.0 versions once the 2.1 ones were approved. Trying to avoid duplication of rework, etc.

I think this is very low risk & very easy. My only thought is some folks on the team might want this one to be an option.

I don't think it should be, but some might. We'll see what the feedback is.

@jdarwood007
Copy link
Member

jdarwood007 commented Mar 12, 2026

I've tagged this on the 3.0 project with the 2.1.8 milestone. It makes sense to help with bots and performance. Will test this later.

@Sesquipedalian Sesquipedalian merged commit 9eb6568 into SimpleMachines:release-2.1 Mar 12, 2026
10 checks passed
@sbulen sbulen mentioned this pull request Mar 12, 2026
Open
@sbulen sbulen deleted the 21_bot_user_likes branch March 12, 2026 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sesquipedalian Sesquipedalian Sesquipedalian approved these changes

Assignees

No one assigned

Labels

Bots & Crawlers Performance

Projects

None yet

Milestone

2.1.8

Development

Successfully merging this pull request may close these issues.

4 participants

@sbulen @jsqx @jdarwood007 @Sesquipedalian