How to use cookie for request/conection limiting
piavlo
nginx-forum at nginx.us
Sun Nov 1 01:02:49 MSK 2009
anomalizer Wrote:
-------------------------------------------------------
> >Genuine users of specific application - this why
> I though that session
> >should be most reliable way. The other option is
> to limit by IP but
> >AFAIU this is not good in case several users are
> connecting from behind
> >the same proxy. Could you recommend other
> options?
>
> You need some sort of a way to ensure that the per
> user token (in this
> case session id in a cookie) was actually issued
> by you.
The web application which I need to throttle is a php one. I'm not a php coder and only slightly familiar with php - can I assign a custom algorithm to php session id generation?
Also how can I verify the session id inside nginx? Should I write a special verification code in nginx embedded perl?
> The token
> should have the following properties:
>
> * Computationally inexpensive to check if you had
> issued the token
>
> * Computationally prohibitive for others to create
> a token that will
> pass the test above
>
>
> Failure to produce a legitimate toke by the user
> shoudl result in a HTTP
> 403
Now that I think about cookie based limiting again - it's not clear to me how new client connections will be handled, by
the connection/request limiting modules, before the application assigns them a valid cookie?
Thanks
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,18135,18730#msg-18730
More information about the nginx
mailing list