[pmwiki-users] 90,000 Session Files

[Patrick R. Michaud]

On Thu, Mar 19, 2009 at 10:58:19PM -0400, DaveG wrote:
> One of two things (possibly related) I suspect is happening.
> * I'm getting hit by spammers trying (and failing) to get through the 
> captcha.

It wouldn't have to be spammers...search engine robots (spiders) would
be sufficient to cause these files to be generated as well.  This
would be true if the robot doesn't honor 'nofollow' on links, or
if some of the action links on your site don't provide the 'nofollow'
flag.

> * I set garbage collection to a high value, so I don't have to keep 
> logging in every 23 minutes (or whatever the default is). Spammers are 
> attempting to login, and the failed attempts are creating session file, 
> which basically never expire.

Note that a login attempt isn't necessary to cause a captcha (and
thus a session file) to be created -- simply displaying the page
that contains the captcha is sufficient.

> I've temporarily reduced the values to a couple of days, to see if that 
> at least reduces the history of files. Is there a way to prevent session 
> files being created by spammers?

In order for captchas to be at all workable and not easily circumvented,
the information about the displayed captcha has to be kept somewhere
on the server.  PmWiki's captcha recipe uses session files for this
purpose -- I'm not sure what would/could provide a better solution
to this.  Ultimately it's simply the fact that the captchas are
being displayed that is causing the files to be generated.

(It's also something I _really_ dislike about PHP's session approach...
it would be far better if each session file could be given its own
lifetime instead of having a lifetime shared among all session files.)

Pm