Forced connection timeouts on browser unloads

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
monkeynest
Forum Newbie
Posts: 2
Joined: Mon Jan 30, 2006 4:21 pm

Forced connection timeouts on browser unloads

Post by monkeynest »

I have a website that allows users to upload files up to 50 megs in size via PHP. I have configured my PHP to allow for this, and in doing so, had to raise my max_execution_time and max_input_time to 15 minutes. I'm afraid my site will get bogged down if too many people start uploads for large files and just close the window, leaving the script in limbo for 15 minutes until it times out. I think this could lead to easily disabling my site if people caught on to this vulnerability.

Are my assumptions correct? And is there anyway for PHP to detect that the upload form was closed or unloaded and timeout that connection?

Sorry, this more of a hybrid code/security question.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I believe your assumptions are correct. I personally wouldn;t have raised the max_execution_time in the ini file since that's a global change. There is a function called set_time_limit() which you can use on a per-script basis.

As for detecting if the browser has closed I'm not 100% how easy it would be using PHP if there is an upload in progress at the time but perhaps something with sockets or ajax might be of use.... I'm not 100% on that though.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Forced connection timeouts on browser unloads

Post by Roja »

monkeynest wrote:Are my assumptions correct?
Yes.
monkeynest wrote:And is there anyway for PHP to detect that the upload form was closed or unloaded and timeout that connection?
Not reliably. You can set the idle timeout up (can be problematic on some connections), you can script a javascript event (many users disable it, the trigger isnt widely supported, etc), and you can do garbage collection, but in the end, they are bandaids. They arent reliable.
monkeynest
Forum Newbie
Posts: 2
Joined: Mon Jan 30, 2006 4:21 pm

Post by monkeynest »

d11wtq wrote: There is a function called set_time_limit() which you can use on a per-script basis.
Thank you so much, that sounds extremely useful and should explain why my site is a little bogged down at the moment from just browsing the site. I think that's just what I was looking for.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

http://us2.php.net/manual/en/features.c ... ndling.php

This does not apply to file uploads I don't think though, worth the read. If it is worth the trouble there are ways to compile in libraries that would let you handle the uploads, another option is to use perl (I think it allows raw request header access for things such as uploading files), and have the perl script call your PHP script with the path of the uploaded file, it may be easy to accomplish this in perl.. I wouldn't know for sure. Maybe someone can shed some light
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

what about max_input_time?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

I don't think that's the answer, that would cut out legitimate uploads that are going slow, he wants to end scripts if the user aborts the upload. Something like that would require raw handling of the uploads (the user abort functions work with data being sent back to the client, not before the server sends it's 200 OK)
Post Reply