Code: Select all
if (!SINGLE_USER_MODE /* && DB_TYPE == "pgsql" */) {
session_set_save_handler("ttrss_open",
"ttrss_close", "ttrss_read", "ttrss_write",
"ttrss_destroy", "ttrss_gc");
}
session_set_cookie_params(SESSION_COOKIE_LIFETIME);
if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') {
@session_start();
}
Two problems here - 1, the ttrss_destroy function is *only* ever called as part of the logout() code, and ttrss_gc is only called with a 50% probability that - using the default values in config.php-dist - will be over 30 days old ((86400*30)/60/60/24). I have both a cloud load balancer *and* monitoring on the cloud instance that hit index.php repeatedly and frequently (as expected) for health status. After awhile you end up looking like this:
Code: Select all
mysql> select count(*) from ttrss.ttrss_sessions;
+----------+
| count(*) |
+----------+
| 128419 |
+----------+
1 row in set (0.03 sec)
mysql> select count(*) from ttrss.ttrss_sessions;
+----------+
| count(*) |
+----------+
| 128420 |
+----------+
1 row in set (0.02 sec)
Those samples were taken ~5secs apart, so let's say I'm gaining no less than 12 per minute - in 7 days that's about 120960 -- mine are higher because I have both a load balancer and monitoring checking it, and just implemented those this past weekend. At this rate I'm gonna have a bajillion and one sessions in that table in not too long.
So, we have a problem - I don't have a quick patch ready but in general the index.php should *not* initiate a session until the user tries to log in (or possibly... institute a garbage collection in index.php outside of the ttrss_gc() callback?). A number of solutions present themselves here, up to fox how he wants to handle it...