How to use cookie for request/conection limiting

piavlo nginx-forum at
Sun Nov 1 01:02:49 MSK 2009

anomalizer Wrote:

> >Genuine users of specific application - this why
> I though that session
> >should be most reliable way. The other option is
> to limit by IP but
> >AFAIU this is not good in case several users are
> connecting from behind
> >the same proxy.  Could you recommend other
> options?
> You need some sort of a way to ensure that the per
> user token (in this
> case session id in a cookie) was actually issued
> by you. 

 The web application which I need to throttle is a php one. I'm not a php coder and only slightly familiar with php - can I assign a custom algorithm to php session id generation?
Also how can I verify the session id inside nginx? Should I write a special verification code in nginx embedded perl?

> The token
> should have the following properties:
> * Computationally inexpensive to check if you had
> issued the token
> * Computationally prohibitive for others to create
> a token that will
> pass the test above
> Failure to produce a legitimate toke by the user
> shoudl result in a HTTP
> 403

Now that I think about cookie based limiting again - it's not clear to me how new client connections will be handled, by 
the connection/request limiting modules, before the application assigns them a valid cookie?


Posted at Nginx Forum:,18135,18730#msg-18730

More information about the nginx mailing list