Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does maxConcurrentSessions default to such a low value? And what is a safe value?

In WCF maxConcurrentSessions defaults to 10, so limiting a server from having more then 10 open TCP connections to it.

Why is this so?

Is it safe for me just to set it to a very high value for a server that has a "handful" (or two) of clients, but needs to keeps a netTcpBinding open for each clients due to sending events to the clients?

like image 857
Ian Ringrose Avatar asked Dec 18 '22 04:12

Ian Ringrose


2 Answers

I assume your instance mode is Per Session. You can set this value to Int32.Max if required. How ever, it is good to understand the WCF Throttling concepts in detail..

The value is very low to prevent DOS attacks, as WCF team wants the services to be "secure by default".

Here is a good read, have a look at this blog post here

Note that these values are extremely low... much lower than many people would like them to be. The thinking of the WCF team here was that they wanted WCF to be "secure by default" and reduce the change of DOS attacks being launched from against your service. That idea might sound great, but in practice it causes major issues.

In fact, you have almost certainly ran into these issues if you are using a binding like WsHttpBinding that supports sessions. Why is that? The default number of sessions at 10, this appears at first to mean that 10 users can access your service at the same time. However, WCF sessions are not web sessions. Unlike web sessions, which are managed by the server and generally tracked using http cookies, WCF sessions are initiated by the client proxy and don't end until they time out or the client sends an explicit request to abandon the session. Here's the thing, since each proxy instance initiates it's own session, a user that makes a few requests at once could potentially be using multiple sessions at once. Now you might be thinking you are safe if you don't have multi-threaded code that does this kind of thing... but that's not exactly true. Because the user must make an explicit request to the server to cancel his session, it's possible that you will leave sessions open accidently. People who have been working with ASMX services, often don't realize that they need to close their proxy objects, and the few that do realize that the objects need to be closed often make the mistake of treating them like disposable objects, which results in sessions being left open. Keeping in mind that the default session limit is 10, this means that if you make ten calls to a service using WsHttpBinding in a relatively short amount of time, you can end up locking up your service until the sessions expire.

The decision that the WCF team made here can be perplexing. In an attempt to limit the ability of attackers to launch DOS attacks against your services, they made it much easier to perform a DOS attack against your service. No longer do you need the resources to flood a server with requests so that it can no longer respond, you simply have to make a handful of calls without explicitly requesting the connection to close and max out the session count. Unless set this value extremely high, you run the risk of having a server refusing to accept any incoming connections, despite the fact that it is chilling out with zero CPU usage.

like image 124
amazedsaint Avatar answered Jan 18 '23 23:01

amazedsaint


You can set this much higher - as long as your server has the resources to process the requests. It defaults to 10 as this will easily defeat any denial of service attacks on your service. If you have a powerful server dedicated to this single service, you could set it to 10,000 if you wanted to. There isn't a magic number you can use for this - you need to balance the demand on one side and the server resources on the other and this maximum number of concurrent sessions helps to prevent melt-down!

like image 39
Fenton Avatar answered Jan 18 '23 23:01

Fenton