Laravel Sessions via DB Overload [5.4] #21170
Description
- Laravel Version: 5.4.31
- PHP Version: PHP 7.1.9-1+ubuntu16.04.1+deb.sury.org+1 (cli)
- Database Driver & Version: mysql Ver 14.14 Distrib 5.7.19
Description:
I am having a issue using Laravel Sessions via Database Driver. My issue is that "duplicate" sessions can be achieved. For lack of a better term. For instance. I goto a site using laravel framework with default AUTH and Sessions via DB. I can then run a script for my Safari browser to continually open new private tabs and access that sites login page. Each time I do a new session is placed in there database table. SEE Sessions Table Results and Login Page Attack Via Multiple Private or Igconito Tabs images below. This work weather doing login page when not yet authorized or if logged into site and use script to hit home page over and over. The outcome is that it slows site down and eventually crashes PHP if enough sessions hammer the DB. Is there a way to prevent this within laravel? It would seem there should be some sort of limiting per IP if not Authorized or via User ID if authorized. Like if a session already exists with this said USERID then remove old session and replace with new. Maybe this is not a direct laravel issue and if thats the case please close but if could point me to a solution that would be great.
Pictures:
Sessions Table Structure Imgur
Sessions Table Results Imgur
Login Page Attack Via Multiple Private or Igconito Tabs Imgur
