Re: [cgiapp] RFC: CGI::Application::Plugin::RateLimit

Tue, 02 May 2006 12:37:01 -0700 


Sam Tregar wrote:
> so
> please feel free to be completely ruthless.

You didn't say whether or not you would hold this against us at some
future date :)

>     # set the table name to use for storing hits
>     $rate_limit->table('rate_limit_hits');

It might be nice if there was a reasonable default for this table name.
Apache::Session and CGI::Session both default to 'sessions' but can be
changed.

>     # keep people from calling 'send' more often than 5 times in 10
>     # minutes and 'list' more often than once every 5 seconds.
>     $rate_limit->protected_modes(send => {timeframe => '10m',
>                                           max_hits  => 5
>                                          },
>                                  list => {timeframe => '5s',
>                                           max_hits  => 1
>                                          });
> 
>     # call this runmode when a violation is detected
>     $rate_limit->violation_mode('too_fast_buddy');
> 
>     # or, run this callback
>     $rate_limit->violation_callback(sub { ... });

Is there any way for these methods to be able to know how many times
they were abused, or how long the user will need to wait to try again? I
remember a project where the $client wanted the user to receive a
message like "You have done this too many times... Please wait x minutes
and try again."

Maybe you can pass the needed information to the subs being called or
make it available in either params() or the $rate_limit obj.

Another use for this module might be to limit arbitrary actions and not
necessarily run modes. The same $client above also wanted a limit on the
number of failed logins that could happen for a given username in a
given time period. So it wasn't just run mode access since a successful
login shouldn't matter. Maybe something like the following:

  $rate_limit->record(
    user   => $user_id,
    action => 'failed_login'
  );

[snip]

>   CREATE TABLE rate_limit_hits (
>      user_id   VARCHAR(255) NOT NULL,
>      module    VARCHAR(255) NOT NULL,
>      run_mode  VARCHAR(255) NOT NULL,
>      timestamp TIMESTAMP    NOT NULL,
>      PRIMARY KEY (user_id, module, run_mode, timestamp)
>   );

If you decide to add the record() method above it might make sense to
change the 'run_mode' field to something like 'action'. And if you do
this you could just drop the 'module' field and create an 'action' entry
with something like "$module=>$run_mode", etc.

-- 
Michael Peters
Developer
Plus Three, LP


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/[email protected]/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to