I work on an application that uses file-backed sessions (I know, I know). Right now it is especially susceptible to DoS attacks b/c it allocates a session for every request, authenticated or not.

Is there an easy (i.e. default) way to set a maximum number of sessions, and purge old sessions if that limit is reached? I could just write another middleware layer that checks the number of files in the session directory and purges old ones if it’s above a threshold, but is there an easier way?

And I understand, file-backed sessions are worthless. But I’m not the one that designed the system, I’ve just got to deal with it, so please don’t just send me to some website about Django or mod_limitipconn.