I have a nodejs web application which uses the express framework, and it is reachable via internet. I am using a session store which stores the sessions as plain files on disk, and with the current implementation, each request without cookie will get a new session-id, resulting in a new file on disk for the new session.
Since the application is reachable via internet, I receive a lot of invalid requests, which of course never send cookies, but produce more sessions on my filesystem, which is a real mess.
I used the OWASP session management cheat sheet as a guideline for the implementation (https://www.owasp.org/index.php/Session_Management_Cheat_Sheet), but it does not cover the topic of guest sessions in detail. It only states that applications might find it useful to assign sessions also to unauthenticated (guest) users, so guest-sessions seem to be a valid feature in general.
So right now I dont know how to properly fight the problem of unnecessarily created sessions/session files by invalid/malicious requests. Is there any recommended way to do this?
I thought of maybe a combination of a very short expiration of 'guest'-sessions (< 5min) and a whitelist for IP ranges or something, where any IP not in the whitelist will not receive a guest-session (but of course a session once successfully authenticated).
Any tips on how I should approach this problem?
Regardless of how you store your session you will face this same issue. At some point your session storage will overflow (run out of disk space, run out of ram, run out of inodes etc).
What you need to do is prune your sessions. Unless you really can afford to store sessions indefinitely you should set an expiry date on your session cookie. For the client the browser will take care of deleting the cookie. For the server you need to periodically check all sessions to see if any have expired.
What you do next is simple. Regardless of the technology you choose to store sessions you simply delete expired sessions. This can be done either within your node process (inside some setTimeout() handler) or outside your node process (maybe a simple daily cron job).
You should allow some grace period (1 minute, 1 hour, 1 day etc.) before deleting stale session files to prevent race condition between you deleting the session file and a user loading the website.
You may also want to allow users to refresh the session expiry date on each visit. For a file-based session store this can be as simple as touching the file to update last modified time.
There is one situation where this strategy won't work. Some databases won't release disk space when you delete data for performance reasons (MySQL with InnoDB for example). Instead the data is simply marked as deleted but the database keep growing. In such cases your only way out is to change your session storage. But since you are using file storage it's not an issue you need to worry about.