davwheat Session Keep-alive: good riddance, "something went wrong!"

davwheat

davwheat Session Keep-alive

A Flarum extension. Prevents session timeouts during idle by pinging home at set intervals.

Ping intervals are determined by the session lifetime in Illuminate. In Flarum, this defaults to 2 hours. Pings are done at 4 points within that lifetime to increase the chances of a successful keep-alive.

This means that, by default with this extension, the forum will ping home every 30 minutes to keep your session alive.

Installation

Install with composer:

composer require davwheat/session-keepalive:"*"

Updating

composer update davwheat/session-keepalive:"*"
php flarum migrate
php flarum cache:clear

Links

luceos

davwheat that title y'all 🙈

CyberGene

Can you clarify what this extension actually does? I’ve seen that problem “something went wrong” from time to time, albeit rarely, and wondered what it was caused by.

Does your extension add a client-side (browser) code that will prevent session expiration?

davwheat

CyberGene

The extension adds both a client side script and a new server side route.

The client side script will automatically fire a request to the new route on a regular basis.

The server side route returns a new CSRF token if the old one has expired, and the client script assigns this to the app.session.csrfToken variable in the JS frontend.

The aim of the extension is to prevent sessions timing out. This is when you would normally see an error when attempting to perform an action, such as liking a post or replying to a discussion. This usually happens because the CSRF token becomes invalid due to no action being performed with it for a long time.

Usually you would have to refresh the forum page, and this would cause annoyance if you were writing a long post, for example, or you put your laptop to sleep and reopened it the next day with a Flarum page still open.

CyberGene

davwheat thanks, installed it. Hopefully it will solve those problems we had that seem consistent with your explanation 👍🏻

Walys

Thanks Dav!
In my forum have this "problem" and not understand why. I thought the problem was somewhere in my code but then I saw the same problem here on flarum.org. I thought it was a core issue and maybe problem solved in new update.

@luceos is there any change in the flarum roadmap to avoid this error with ping with less time or would it be better to install this good extension from davwheat?

askvortsov

Walys We are considering potentially bringing this into core, but no decision yet.

Teddan

Will it brings a lot more burden to the server?

davwheat

Teddan

Nope, not really.

The endpoint logic is very simple, and the client doesn't poll it very often anyway.

rafaucau

@davwheat This extension is DDOSing my forum. IDK what happened, but a day after activation it started sending thousands of requests per second

Prcek

rafaucau How did the investigation into the cause end?

Prcek

OK, so my very first investigation shows that after disabling this davwheat/session-keepalive:1.1.0 (latest) extension clients will start self-DDoSing the forum because /index.php will stop being accessible via the POST method and the same for /api/csrf-keepalive. This is hilariously insane. I'm still figuring out the details, but it looks like the forum just has to survive this self-DDoS from its own users. Fortunately it fades with each passing minute as clients close (perhaps refresh) the browser tab.

Take a look at 2k requests in just 2 minutes:

PHP-FPM log:

flarum-php-fpm-5        | 172.18.0.9 -  12/Sep/2023:23:26:31 +0000 "POST /index.php" 404
flarum-php-fpm-4        | 172.18.0.9 -  12/Sep/2023:23:26:31 +0000 "POST /index.php" 404
flarum-php-fpm-3        | 172.18.0.9 -  12/Sep/2023:23:26:31 +0000 "POST /index.php" 404
flarum-php-fpm-2        | 172.18.0.9 -  12/Sep/2023:23:26:31 +0000 "POST /index.php" 404
...

FullThrottle83

Is this extension safe to install?
I have it on on forum, but that don't have any traffic really.
My new one does, so these comments scare me - although I like this extension. 🤔

clarkwinkelmann

I have not downloaded the extension, but just looking at the code I see some things that could be improved:

Have a sanity check in the javascript to check keepAliveInterval is greater than zero or a particular value before using it as the interval value. Probably a good idea to cap it at 30 seconds minimum or even more
Replace setInterval with a self-invoking method that calls the next iteration after the request completes or fails, rather than sending new requests even if one is still pending. Alternatively, use a simple infinite loop inside an async function

As for the reported problems, I see 2 possible sources for the DOS reports:

is $this->container['config']['session.lifetime'] guaranteed to return a value? If it doesn't, and because there's no sanity check as written above, the script will just send as many requests as it can in an interval of zero seconds
If the extension is disabled but a client loads a cached version of the javascript, then the number of seconds will not be in the forum payload and it will also loop on zero seconds because there's no minimum value in the javascript