Hi, was recently reviewing the code for MyBB and noticed it saves its sessions to the database. I would like to know what is the purpose for this but also how secure is it? Where does this information come to play in MyBB? From my view, it seems to only carry user's browser information and IP (I think).
Most forum systems store sessions in the database. It's needed for showing who's online and where they're visiting.
You need to be more specific with your question about security.
It's more convenient to store in the database and have it eliminate old entries than having a file handle it. It would get really messy trying to use a file system for storing sessions.
Hi there. It's easily to manage sessions in bulk when they're stored in a database. The information is secure as your database server, the code that can access the database, and the credentials protecting it all. TL;DR unless you make blatantly stupid mistakes (trust me we all have) you won't have an issue.
So my question is, the information stored in these sessions is information that is not deemed private, correct? I ask because a lot of us know that it is entirely possible someone could manipulate sessions and steal someones session. However, seeing as MyBB only uses sessions to determine who's online and other cosmetic features, we are all in agreement that sessions can be somewhat manipulated? It's the fact that there's no benefit to manipulate these sessions is why MyBB uses them. Correct?
The information stored in the mybb_sessions table is used to track guests and users browsing the board and contains the user ID, the browser & system signature, the IP address and their last known location within the forums, so the data itself can be considered sensitive. The visitors are identified by the session hash (sid) value saved in a cookie that's also stored in the table.
The authentication, however, relies on on the loginkey from mybb_users, saved in a cookie upon successful login and the user stays authenticated as long as the values match.
Neither sid or loginkey is disclosed to anyone else.
I found out, that my forum has ~4gb sessions table (15 million rows).
Inside MyBB admin settings, is there a way to set some rule on that table, so the older table rows would automatically removed?
I think storing these table rows for 1 month would be enough.
(2023-10-24, 11:35 AM)tarmo Wrote: [ -> ]I found out, that my forum has ~4gb sessions table (15 million rows).
Inside MyBB admin settings, is there a way to set some rule on that table, so the older table rows would automatically removed?
I think storing these table rows for 1 month would be enough.
Enable Daily Cleanup in your Scheduled Tasks.
Daily Cleanup "dailycleanup.php" is enabled, for some reason it does not remove old sessions from "mybb_sessions" table.
[
attachment=46389]
Not clear if you've just enabled it. Might have to purge the table - in say, phpmyadmin - to get rid of all the old stuff.
The sessions table will start to regenerate immediately. Although the task has a delete query in it - not sure it will handle a situation like this.
// Clear out sessions older than 24h
$db->delete_query("sessions", "time < '".(int)$time['sessionstime']."'");
Maybe someone with more skills than I will know. Oh, make sure you've enabled logging as well. So you know if it runs successfully on a go forward basis.
