Hello, I'd like to share an issue which I've encountered recently on Moodle 3.1 (running on Debian 9).
Our setup used to have database-based sessions. As part of a simultaneous Moodle and server upgrade, and since this is a standalone installation, we decided to switch to file-based sessions instead. And since we want access to these session files to be ultra-fast (they're needed everytime a page loads), we decided to place these session files on a tmpfs (in-memory filesystem).
Well, we got bit by this recently because even though we took care to check that session cleanup was functioning correctly, the tmpfs filesystem filled up with session files and users couldn't log into Moodle anymore. It turns out we had thousands of guest sessions taking up most of the space in tmpfs.
After some digging into the session handling code, I found out that guest sessions are allowed to persist five times longer than regular sessions (10 hours on default settings).
Our instance has $CFG->autologinguests enabled, so the number of guest sessions can increase fast: a simple cURL or wget request on a Moodle resource URL creates a few-KB session file, and this can be repeated over and over. These files are then allowed to occupy valuable fast-access storage for a long period of time.
So this raises several questions:
- What's the advantage of keeping guests sessions around much longer than regular sessions?
- Could these guest sessions somehow be expired faster, if so how? Could there be any undesirable side-effects to expiring guest sessions relatively fast, say 10 minutes?
- From what I can tell there's absolutely no limit of number of guest sessions a given IP address may generate on the server. Is this right? Shouldn't there be some kind of limit?
- I'm considering using a zram device to compress session data in memory, to be able to cram more of it into RAM at the expense of some CPU cycles. Are there any drawbacks specific to Moodle I should also consider?
Thanks!