I'd agree with that approach. I write interfaces where we can have bursts of 100 messages a minute, and if I took all those requests and pushed them to the database, then the interactive users would experience delays. So, what I do is have a mandatory pause of 15 seconds between messages. So if I do get a burst of 100, it's going to load in a bit over 1500 seconds (25 minutes). The users love this since they don't notice the interface is running at all.
Brute force prevention of just adding a sleep of 1 second may be good, the user probably would notice the site a little slower, but brute forcing now takes a lot more time. You could add to the session object 'last request time' and if it's not x seconds/milliseconds old, return a 500 error... On Tuesday, May 28, 2013 12:56:17 PM UTC-7, Niphlod wrote: > > then just insert a time.sleep(1) after form.process().accepted > > rate limiting algos are a bit of a pain to implement correctly and there > are always issues with concurrency, user identification, etc etc etc. > > On Tuesday, May 28, 2013 9:52:57 PM UTC+2, Chris Teodorski wrote: >> >> Just brute force prevention. This should always be a human submitting >> with no bursts. >> >> >> >> On Tuesday, 28 May 2013 15:46:33 UTC-4, Niphlod wrote: >>> >>> then the question should be.... are you in the search of a method that >>> enables users to submit 5 forms in 1 second but NOT 6 forms in 5 seconds >>> (i.e. do you allow short bursts/peeks) or just something that prevents >>> bruteforce and allows 1 submit in a second (pretty irrelevant waiting-time >>> for a "human user")? >>> >>> On Tuesday, May 28, 2013 9:39:12 PM UTC+2, Chris Teodorski wrote: >>>> >>>> On Tuesday, 28 May 2013 15:35:48 UTC-4, Niphlod wrote: >>>> >>>>> If your problem lies into the realm of "this form shouldn't be >>>>> submitted more than 5 times in 5 seconds" you can play a little bit with >>>>> your controller.... >>>>> >>>> >>>> That is exactly what my problem is, or what I'm trying to prevent. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
