Posted by frizzle on 12/16/06 18:28

Erwin Moller schreef:

> Erwin Moller wrote:
>
> > frizzle wrote:
> >
> >>
> >> frizzle wrote:
> >>> Erwin Moller wrote:
> >>> > frizzle wrote:
> >>> >
> >>> > > Hi there,
> >>> > >
> >>> > > I need a function to prevent a page from being loaded too often too
> >>> > > fast.
> >>> > > So say, one is only allowed to refresh a single page 5 times in 10
> >>> > > seconds, or 10 times in 5 seconds (or whatever ... ).
> >>> > > If the load frequency exceeds that, the site calls exit(); And a
> >>> > > message is displayed. Just like Expression Engine does ...
> >>> > >
> >>> > > This way i want to protect the DB from being queried rediculously
> >>> > > often, and maybe even protect it from DDOS attacks.
> >>> > >
> >>> > > I hope it's clear. I don't know where to start ..
> >>> > >
> >>> > > Thanks!
> >>> >
> >>> > Hi,
> >>> >
> >>> > You have to implement some kind of countingmechanism when the page
> >>> > starts. You can store the timestamp (now) in a database once the page
> >>> > runs, and check if it has been accessed more than X times last Y
> >>> > seconds. Just build it. :-)
> >>> >
> >>> > Of course this check will slow down each request to the page a little,
> >>> > but if the load of running the whole page is much higher, this may be
> >>> > worth the time.
> >>> >
> >>> > Regards,
> >>> > Erwin Moller
> >>>
> >>> Would this be a good thing to do with sessions ?
> >>
> >> Not to be stupid here, but i don't completely get one thing:
> >>
> >> Say one can load 5 times in 5 seconds;
> >>
> >> If someone loads the page at second 1, and then reloads three times
> >> between second 3 and five, this would be 4 loads in 5 seconds. But if
> >> then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
> >> then) 5 seconds, though AFAIK your idea would have "approved" this.
> >>
> >> How could i fix this?
> >>
> >> Thanks!
> >
> > Hi,
> >
> > first question: Session.
> > I was unsure if you wanted to protect against a single user or against all
> > users.
> > If you want to protect against a single user loading the page too much,
> > you should use session, BUT if that visitor wants to circumvent your
> > sessionlogic, it is easy.
> > Here is why: If you want to use a session with a visitor you send along a
> > sessionid with each request and response. The sessionid is stored in the
> > URL or cookie.
> > Both can easily be manipulated by the visitor, so this will not really
> > work.
> >
> > It would make more sense to use the remote IP-address to maximize the
> > number of requests to your page.
> >
> > Second querstion: How to implement the quota X times per Y secs?
> >
> > just a rouch idea based on IP:
> > create a table like this:
> > CREATE TABLE tblrequest(
> > IPnum text,
> > lastrequest datetime
> > )
> >
> > Now above your script do this:
> > 1) Get the remote IP
> > Use remoteadress, read more here:
> > http://nl3.php.net/manual/en/function.getenv.php
> >
> > 2) delete from tblrequest ALL requests older than (now - Y secs)
> >
> > 3) check if this IP has already exceeded the quota:
> > Something like:
> > SELECT COUNT(IPnum) FROM tblrequest
> > WHERE (IPnum = '<IPnum found in step1>');
> >
> > if the count exceeds X, exit, otherwise continue with the rest of the
> > script.
>
> Oops forgot to mention the obvious:
> of course insert it in the table. :-)
>
> INSERT INTO tblrequest (IPnum,lastrequest)
> VALUES ('<IPnum found in step1>','now');
>
> Regards,
> Erwin Moller

Hmm, this kind of overlaps my other issue:
Login in users. I know there are a lot of topics out there, but none of
them seem to hive a real answer:

I was told using IP (also with pageloads) isn't safe as some ISP's
change IP addresses. Are sessions really that unsafe? I thought they
could only be manipulated if you have access to the server ...


Thanks for explaining.

[Back to original message]