Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-42435

Session Locking allows single user to DOS LMS

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Not a bug
    • Affects Version/s: 2.4.5, 2.5.2
    • Fix Version/s: None
    • Labels:
    • Affected Branches:
      MOODLE_24_STABLE, MOODLE_25_STABLE

      Description

      At the University of Alberta we've experienced a full DOS of our Moodle Installation.
      We've tracked the root cause to be related to the aggressive session locking used in the database_session.

      Incident cause was discovered to be a single user who held down refresh in their browser.
      We are able to reproduce this on any base install of Moodle 2.4.x
      We were able to partially mitigate non-authenticated and guest users using the CFG->sessionlockloggedinonly flag, but this does not help against authenticated users.

      We're currently investigating a few strategies to resolve this including changing the session's locking mechanism to a shared advisory lock in combination with rate limiting, wrapping the session object assignments with lock/unlock calls.

      We're wondering if there is a fix in the works or not, if so where can we find it, as were currently at the mercy of every single user in our system.

      Installation configuration:
      Moodle 2.4.5, php 5.3.10, postgres 9.1.9

        Attachments

          Activity

            People

            Assignee:
            skodak Petr Skoda
            Reporter:
            tdjones Trevor Jones
            Peer reviewer:
            Michael de Raadt Michael de Raadt
            Participants:
            Component watchers:
            Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Matteo Scaramuccia, Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: