How to use cookie for request/conection limiting
Arvind Jayaprakash
work at anomalizer.net
Sat Oct 31 16:30:19 MSK 2009
On Oct 30, piavlo wrote:
>anomalizer Wrote:
>-------------------------------------------------------
>
>> Are you trying to limit genuine or malicious
>> users? A malicious user can
>> always circumvet the limites by creating his own
>> cookies and sending
>> them.
>
>Genuine users of specific application - this why I though that session
>should be most reliable way. The other option is to limit by IP but
>AFAIU this is not good in case several users are connecting from behind
>the same proxy. Could you recommend other options?
You need some sort of a way to ensure that the per user token (in this
case session id in a cookie) was actually issued by you. The token
should have the following properties:
* Computationally inexpensive to check if you had issued the token
* Computationally prohibitive for others to create a token that will
pass the test above
Failure to produce a legitimate toke by the user shoudl result in a HTTP
403
More information about the nginx
mailing list