Re: [cgiapp] RFC: CGI::Application::Plugin::RateLimit

Tue, 02 May 2006 12:55:03 -0700 

On Tue, 2 May 2006, Michael Peters wrote:


    # set the table name to use for storing hits
    $rate_limit->table('rate_limit_hits');


It might be nice if there was a reasonable default for this table name.
Apache::Session and CGI::Session both default to 'sessions' but can be
changed.


Sure, a default for this makes sense.


    # call this runmode when a violation is detected
    $rate_limit->violation_mode('too_fast_buddy');

    # or, run this callback
    $rate_limit->violation_callback(sub { ... });


Is there any way for these methods to be able to know how many times
they were abused, or how long the user will need to wait to try again? I
remember a project where the $client wanted the user to receive a
message like "You have done this too many times... Please wait x minutes
and try again."

Maybe you can pass the needed information to the subs being called or
make it available in either params() or the $rate_limit obj.


Passing along information to the violation mode sounds like a good
idea.  I wonder though how you would compute X for "wait X minutes and
try again."  You could set X = to timeframe, but that would be
pessimistic.  The accurate number would be timeframe - time since
first considered event, since after that you've got at least one more
chance.


Another use for this module might be to limit arbitrary actions and not
necessarily run modes. The same $client above also wanted a limit on the
number of failed logins that could happen for a given username in a
given time period. So it wasn't just run mode access since a successful
login shouldn't matter. Maybe something like the following:

 $rate_limit->record(
   user   => $user_id,
   action => 'failed_login'
 );


Hmmm.  How would that method indicate a violation?  It's not obvious
to me how that would interact with 'violation_mode', for example.

Another idea that was suggested to me is to allow a hit to be
revoked.  This might be useful to allow validation errors to not count
as hits for rate-limiting.  Something like:

  $self->rate_limit->revoke_hit()
    if $errors_found;

-sam

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/[email protected]/
             http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to