How to use cookie for request/conection limiting

piavlo nginx-forum at nginx.us
Sun Nov 1 01:02:49 MSK 2009


anomalizer Wrote:
-------------------------------------------------------

> >Genuine users of specific application - this why
> I though that session
> >should be most reliable way. The other option is
> to limit by IP but
> >AFAIU this is not good in case several users are
> connecting from behind
> >the same proxy.  Could you recommend other
> options?
> 
> You need some sort of a way to ensure that the per
> user token (in this
> case session id in a cookie) was actually issued
> by you. 

 The web application which I need to throttle is a php one. I'm not a php coder and only slightly familiar with php - can I assign a custom algorithm to php session id generation?
Also how can I verify the session id inside nginx? Should I write a special verification code in nginx embedded perl?

> The token
> should have the following properties:
> 
> * Computationally inexpensive to check if you had
> issued the token
> 
> * Computationally prohibitive for others to create
> a token that will
> pass the test above
> 
> 
> Failure to produce a legitimate toke by the user
> shoudl result in a HTTP
> 403

Now that I think about cookie based limiting again - it's not clear to me how new client connections will be handled, by 
the connection/request limiting modules, before the application assigns them a valid cookie?

Thanks

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,18135,18730#msg-18730






More information about the nginx mailing list