[L-6] Session-fallback rate-limit keys grow unbounded

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: LOW

Location: src/Middleware/RateLimitMiddleware.php:147

Bug: Per-path keys accumulate in session without GC.

Fix: Cap total keys per session or GC on write.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:59pm

Resolved.

RateLimitMiddleware::sessionFallback now sweeps expired rate_limit_* keys from the session on every fallback invocation (src/Middleware/RateLimitMiddleware.php). If the DB is unavailable and a crawler hits many distinct paths, session files no longer grow unboundedly — keys older than 4 × window_seconds are pruned.

Locking this thread.

Related Discussions

reCAPTCHA keys live: registration re-enabled
Important Alerts · 0 replies · 1 views
[M-26] suspension_reason not in PROTECTED_UPDATE_KEYS
Security Issues · 0 replies · 1 views
[M-23] Rate-limit key not scoped by HTTP method
Security Issues · 0 replies · 2 views
Rubber keys, dead flesh keys, or plus keys?
General · 0 replies · 1 views
Sticky/broken keys on ST keyboards
Help & Support · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy