Posted by Erwin Moller on 12/14/06 14:36

Erwin Moller wrote:

> frizzle wrote:
>
>>
>> frizzle wrote:
>>> Erwin Moller wrote:
>>> > frizzle wrote:
>>> >
>>> > > Hi there,
>>> > >
>>> > > I need a function to prevent a page from being loaded too often too
>>> > > fast.
>>> > > So say, one is only allowed to refresh a single page 5 times in 10
>>> > > seconds, or 10 times in 5 seconds (or whatever ... ).
>>> > > If the load frequency exceeds that, the site calls exit(); And a
>>> > > message is displayed. Just like Expression Engine does ...
>>> > >
>>> > > This way i want to protect the DB from being queried rediculously
>>> > > often, and maybe even protect it from DDOS attacks.
>>> > >
>>> > > I hope it's clear. I don't know where to start ..
>>> > >
>>> > > Thanks!
>>> >
>>> > Hi,
>>> >
>>> > You have to implement some kind of countingmechanism when the page
>>> > starts. You can store the timestamp (now) in a database once the page
>>> > runs, and check if it has been accessed more than X times last Y
>>> > seconds. Just build it. :-)
>>> >
>>> > Of course this check will slow down each request to the page a little,
>>> > but if the load of running the whole page is much higher, this may be
>>> > worth the time.
>>> >
>>> > Regards,
>>> > Erwin Moller
>>>
>>> Would this be a good thing to do with sessions ?
>>
>> Not to be stupid here, but i don't completely get one thing:
>>
>> Say one can load 5 times in 5 seconds;
>>
>> If someone loads the page at second 1, and then reloads three times
>> between second 3 and five, this would be 4 loads in 5 seconds. But if
>> then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
>> then) 5 seconds, though AFAIK your idea would have "approved" this.
>>
>> How could i fix this?
>>
>> Thanks!
>
> Hi,
>
> first question: Session.
> I was unsure if you wanted to protect against a single user or against all
> users.
> If you want to protect against a single user loading the page too much,
> you should use session, BUT if that visitor wants to circumvent your
> sessionlogic, it is easy.
> Here is why: If you want to use a session with a visitor you send along a
> sessionid with each request and response. The sessionid is stored in the
> URL or cookie.
> Both can easily be manipulated by the visitor, so this will not really
> work.
>
> It would make more sense to use the remote IP-address to maximize the
> number of requests to your page.
>
> Second querstion: How to implement the quota X times per Y secs?
>
> just a rouch idea based on IP:
> create a table like this:
> CREATE TABLE tblrequest(
> IPnum text,
> lastrequest datetime
> )
>
> Now above your script do this:
> 1) Get the remote IP
> Use remoteadress, read more here:
> http://nl3.php.net/manual/en/function.getenv.php
>
> 2) delete from tblrequest ALL requests older than (now - Y secs)
>
> 3) check if this IP has already exceeded the quota:
> Something like:
> SELECT COUNT(IPnum) FROM tblrequest
> WHERE (IPnum = '<IPnum found in step1>');
>
> if the count exceeds X, exit, otherwise continue with the rest of the
> script.

Oops forgot to mention the obvious:
of course insert it in the table. :-)

INSERT INTO tblrequest (IPnum,lastrequest)
VALUES ('<IPnum found in step1>','now');

Regards,
Erwin Moller

[Back to original message]