Managing bot sessions
This is quick hat tip and public thanks to Ben Nadel and David Boyer. At work we run our own servers and have issues with bots hitting sites and creating huge amounts of sessions which then sit there for quite a while doing nothing, but using up RAM.
A while ago I started blacklisting known bots and setting them to have a sessiontimeout of 1 second. So although a session was being created for each request that the bot made (as bots don't support cookies a new session is created per request) it quickly expired. This works well, although it means that you need to update the list as new bots and crawlers are identified.
In Ben's Scotch on the Rocks presentation he showed a really simple technique for coping with this scenario by making the sessiontimeout setting in Application.cfc conditional on the existance of a cookie. Here it is:
this.sessionmanagement = true;
if ( IsDefined( "cookie.cfid" ) )
{
// client has the cfid so accepts cookies
this.sessiontimeout = CreateTimeSpan( 0, 1, 0, 0 );
}
else
{
// client doesn't have the cfid cookie, so 1st request or a bot
this.sessiontimeout = CreateTimeSpan( 0, 0, 0, 1 );
}
This is simple, elegant and effective! If you use J2EE sessions then you need to modify this but the theory is the same. An even better solution is to not enable sessionmanagement until it is required, which is great for new sites, but for legacy code the above works well. Ben's slides from his presentation are here: http://www.bennadel.com/blog/1933-Mastering-The-ColdFusion-Application-Framework.htm
David Boyer has released a really useful extension for the ColdFusion CFIDE called cftracker, which lets you view lots of information about the memory scopes for applications and sessions. As developers we tend to be pretty busy, so by using cftracker I've been able to spot which sites have been using the most sessions and applying Ben's technique to them first. Another useful feature of cftracker is that it lets you kill sessions for a specific IP address. This is really useful when you see that a bot has created 500 odd sessions!
So thanks to these two guys the servers are looking much more healthy!
- Posted in:
- ColdFusion
- Resources
Nice to hear that CfTracker is actually useful in tracking down these sorts of problems.
Oh BTW you've got a typo with my last name in the final paragraph about cftracker.
Comment by David Boyer – June 22, 2010
Comment by John Whish – June 22, 2010
I may be slow to realize that.
Comment by Aaron Greenlee – June 22, 2010
That might be a good question about being thread safe. From what I can tell with my CFTracker application, an instance of the application and its settings are stored in memory. Which makes me think that the settings probably behave like the application scope itself, which means there would be a small chance that a session could pick up the wrong session...
I'm going to have to try this out now ;)
Comment by David Boyer – June 22, 2010
Of course if you call onApplicationStart yourself for example your onRequestStart method may call onApplicationStart() to restart your application) then it will no longer be thread safe.
Comment by John Whish – June 22, 2010
Thread safety is an interesting question. A new instance of Application.cfc gets created for every single ColdFusion request within a given application. From what I have experimented with, any event that can be triggered based on a given request (ie. app start, session start, request start, request, etc) use the Application.cfc instance created in that page. Events NOT tied to a given request (ie. app stop, session stop) use the Application.cfc that gets cached (as @David alluded to).
That said, when it comes to thread-safety, I suppose it depends on what you mean and what areas of the memory you are going to interact with.
Ok, a bit of a ramble there :)
Comment by Ben Nadel – June 23, 2010