How to use cookie for request/conection limiting

Arvind Jayaprakash work at
Sat Oct 31 16:30:19 MSK 2009

On Oct 30, piavlo wrote:
>anomalizer Wrote:
>> Are you trying to limit genuine or malicious
>> users? A malicious user can
>> always circumvet the limites by creating his own
>> cookies and sending
>> them.
>Genuine users of specific application - this why I though that session
>should be most reliable way. The other option is to limit by IP but
>AFAIU this is not good in case several users are connecting from behind
>the same proxy.  Could you recommend other options?

You need some sort of a way to ensure that the per user token (in this
case session id in a cookie) was actually issued by you. The token
should have the following properties:

* Computationally inexpensive to check if you had issued the token

* Computationally prohibitive for others to create a token that will
pass the test above

Failure to produce a legitimate toke by the user shoudl result in a HTTP

More information about the nginx mailing list