Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-42435

Session Locking allows single user to DOS LMS

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Not a bug
    • Affects Version/s: 2.4.5, 2.5.2
    • Fix Version/s: None
    • Labels:
    • Affected Branches:
      MOODLE_24_STABLE, MOODLE_25_STABLE

      Description

      At the University of Alberta we've experienced a full DOS of our Moodle Installation.
      We've tracked the root cause to be related to the aggressive session locking used in the database_session.

      Incident cause was discovered to be a single user who held down refresh in their browser.
      We are able to reproduce this on any base install of Moodle 2.4.x
      We were able to partially mitigate non-authenticated and guest users using the CFG->sessionlockloggedinonly flag, but this does not help against authenticated users.

      We're currently investigating a few strategies to resolve this including changing the session's locking mechanism to a shared advisory lock in combination with rate limiting, wrapping the session object assignments with lock/unlock calls.

      We're wondering if there is a fix in the works or not, if so where can we find it, as were currently at the mercy of every single user in our system.

      Installation configuration:
      Moodle 2.4.5, php 5.3.10, postgres 9.1.9

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: