How to limit the number of requests per user to a page

Question

this is my html code "Txtcomments" runat= "server" TextMode= "MultiLine" > "BtnPost" runat= "server" Text= "Post" OnClick= "BtnPost_Click" /> "Label1" runat= "server" Text= "" > my problem i haave a sample webform like this if a user makes a comment it will save in the database but i had to restrict a particular user like that he should make only 2 comments(requests) within 5 minutes of time if the same user wants to make 3rd comment he should be displaying a message that request limit exceeded first i thought restricting user based on ip but using the below code it blocks all the users of the particular host but not a single user public partial class webThrottle : System.Web.UI.Page { public static string date; public static string strSessionID= "first" ; protected void Page_Load( object sender, EventArgs e) { } protected void BtnPost_Click( object sender, EventArgs e) { string ipaddress; ipaddress = Request.ServerVariables[ "HTTP_X_FORWARDED_FOR" ]; if (ipaddress == "" || ipaddress == null ) ipaddress = Request.ServerVariables[ "REMOTE_ADDR" ]; string SessionID = Session.SessionID; var Throttle = new Throttler(); if (Throttle.RequestShouldBeThrottled(ipaddress)) { Label1.Text = "Access Denied because of Too Many requests" ; TimeSpan span = (Convert.ToDateTime(Throttler.NextAccessDate) - Convert.ToDateTime(DateTime.Now)); string diff= String.Format( "{0} minutes, {1} seconds" , span.Minutes, span.Seconds); Label4.Text = "Elapsed Time = " + " " + "Try Again After " +diff; } else { SqlConnection con = new SqlConnection( "Server=DELL-PC; User Id=sa;Password=123;Database=comments" ); con.Open(); SqlCommand cmd = new SqlCommand( "insert into tbl_comments(comment, ipAddress, Date)values(@p1, @p2, @p4)" , con); cmd.Parameters.AddWithValue( "@p1" , Txtcomments.Text); cmd.Parameters.AddWithValue( "@p2" , ipaddress); date = DateTime.Now.ToString(); cmd.Parameters.AddWithValue( "@p4" , date); int i = cmd.ExecuteNonQuery(); if (i > 0) { Label1.Text = "Your comment has been posted successfully" ; //Label2.Text = " " ; //Label3.Text = " "; Label4.Text = " " ; } con.Close(); } } } public class Throttler { private int _requestLimit; private int _timeoutInSeconds; private string _key; public static string NextAccessDate; public bool RequestShouldBeThrottled( string key, int requestLimit = 5, int timeoutInSeconds = 180) { _requestLimit = requestLimit; _timeoutInSeconds = timeoutInSeconds; _key = key; ThrottleInfo throttleInfo = (ThrottleInfo)HttpRuntime.Cache[_key]; if (throttleInfo == null ) { throttleInfo = new ThrottleInfo { ExpiresAt = DateTime.Now.AddSeconds(_timeoutInSeconds), RequestCount = 0, }; NextAccessDate=throttleInfo.ExpiresAt.ToString(); } throttleInfo.RequestCount++; HttpRuntime.Cache.Add(_key, throttleInfo, null , throttleInfo.ExpiresAt, Cache.NoSlidingExpiration, CacheItemPriority.Normal, null ); return (throttleInfo.RequestCount > _requestLimit); } } public class ThrottleInfo { public DateTime ExpiresAt { get ; set ; } public int RequestCount { get ; set ; } }

Loknadh Ravineni · Answer

Hi Vrushali Ghodke Thanks for Replying me But My biggest doubt is that how to identify that malicious user in Particular because an anynomous user have been posting the comment the details hardly we get is ip (That also The host IP Not the Individual IPAddress )or anything like e-mail but he could change the email and again starts making the comments again and again How to handle this scenario I am totally confused about this how to limit him from making the comments from the particular device(say laptop ,or computer) from which he is continuously making the comments

Vrushali Ghodke · Answer

The better way is to only allow the lookup services to registered users. For this, you must provide a user database and authentication system (for example password-based). The requests should be logged in the database, keyed by the user's ID. If then a new session starts, the user must first authenticate again, and once authenticated the request history is retrieved from the database. This way the user cannot cheat around it by changing something on their client configuration (IP address, cookies, employing multiple devices in parallel)

Loknadh Ravineni · Answer

i changed my source code and tried to use cookies such that i could restrict the particular user upto some extent if he makes the request from that particular bowser(say Google) it is restricting but the problem is as we know that cookies are browser dependent the same person send requests from the other browser (say firefox) how ca i restrict the user to do so . here is the source code what i had changed from the above protected void Page_Load(object sender, EventArgs e) { if (!Page.IsPostBack) { ipaddress = Request.ServerVariables["HTTP_X_FORWARDED_FOR"]; if (ipaddress == "" || ipaddress == null&&(Request.Cookies["Appcookie"]==null)) { ipaddress = Request.ServerVariables["REMOTE_ADDR"]; strSessionID = HttpContext.Current.Session.SessionID; HttpCookie httpCookie = new HttpCookie("Appcookie"); UID = GetUniqueID(); Response.Cookies["Appcookie"].Value = UID; httpCookie.Expires = DateTime.Now.AddDays(1); } } } private static Random random = new Random(); private string GetUniqueID() { const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; return new string(Enumerable.Repeat(chars,10) .Select(s => s[random.Next(s.Length)]).ToArray()); } this is the part i had updatedd and remaining code is same as it is

Vrushali Ghodke · Answer

check the below link https://stackoverflow.com/questions/34475376/how-to-limit-the-number-of-user-requests-made-within-a-minute

How to limit the number of requests per user to a page

Answers (4)