Merge pull request #17537 from overleaf/bg-session-mitigation-log-session-size

Add custom session store to track largest session sizes for anonymous users

GitOrigin-RevId: 23312689d7adb8196e66bb925afcfef78c4c558d

services/web/app/src/infrastructure/Server.js

@@ -48,8 +48,42 @@ const STATIC_CACHE_AGE = Settings.cacheStaticAssets
   ? oneDayInMilliseconds * 365
   : 0
 
+// Define a custom session store to record the largest session sizes
+// seen for anonymous users
+class CustomSessionStore extends RedisStore {
+  static largestSessionSize = 2048 // ignore sessions smaller than 2KB
+
+  static trackAnonymousSessionSize(sess) {
+    const isLoggedIn = SessionManager.isUserLoggedIn(sess)
+    if (!isLoggedIn) {
+      const len = JSON.stringify(sess, (key, value) => {
+        if (key === 'hashedPassword' && value?.length > 0) {
+          return '*'.repeat(value.length)
+        }
+        return value
+      }).length
+      if (len > CustomSessionStore.largestSessionSize) {
+        CustomSessionStore.largestSessionSize = len
+        logger.warn({ sess, sessionSize: len }, 'largest session size seen')
+      }
+    }
+  }
+
+  set(sid, sess, cb) {
+    CustomSessionStore.trackAnonymousSessionSize(sess)
+    super.set(sid, sess, cb)
+  }
+
+  touch(sid, sess, cb) {
+    CustomSessionStore.trackAnonymousSessionSize(sess)
+    super.touch(sid, sess, cb)
+  }
+}
+
 // Init the session store
-const sessionStore = new RedisStore({ client: sessionsRedisClient })
+const sessionStore = new CustomSessionStore(
+  new RedisStore({ client: sessionsRedisClient })
+)
 
 const app = express()