Page load frequency

Hi there,
>
I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...
>
This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.
>
I hope it's clear. I don't know where to start ..
>
Thanks!

frizzle wrote:
>
Hi there,
>
I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...
>
This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.
>
I hope it's clear. I don't know where to start ..
>
Thanks!
>
Hi,
>
You have to implement some kind of countingmechani sm when the page
starts. You can store the timestamp (now) in a database once the page
runs, and check if it has been accessed more than X times last Y
seconds. Just build it. :-)
>
Of course this check will slow down each request to the page a little,
but if the load of running the whole page is much higher, this may be
worth the time.
>
Regards,
Erwin Moller

>>Erwin Moller wrote:
>frizzle wrote:
>>
>Hi there,
>>
>I need a function to prevent a page from being loaded too often too
>fast.
>So say, one is only allowed to refresh a single page 5 times in 10
>seconds, or 10 times in 5 seconds (or whatever ... ).
>If the load frequency exceeds that, the site calls exit(); And a
>message is displayed. Just like Expression Engine does ...
>>
>This way i want to protect the DB from being queried rediculously
>often, and maybe even protect it from DDOS attacks.
>>
>I hope it's clear. I don't know where to start ..
>>
>Thanks!
>>
>Hi,
>>
>You have to implement some kind of countingmechani sm when the page
>starts. You can store the timestamp (now) in a database once the page
>runs, and check if it has been accessed more than X times last Y
>seconds. Just build it. :-)
>>
>Of course this check will slow down each request to the page a little,
>but if the load of running the whole page is much higher, this may be
>worth the time.
>>
>Regards,
>Erwin Moller
>>>
>>Would this be a good thing to do with sessions ?

>
frizzle wrote:
>Erwin Moller wrote:
frizzle wrote:
>
Hi there,
>
I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...
>
This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.
>
I hope it's clear. I don't know where to start ..
>
Thanks!
>
Hi,
>
You have to implement some kind of countingmechani sm when the page
starts. You can store the timestamp (now) in a database once the page
runs, and check if it has been accessed more than X times last Y
seconds. Just build it. :-)
>
Of course this check will slow down each request to the page a little,
but if the load of running the whole page is much higher, this may be
worth the time.
>
Regards,
Erwin Moller
>>
>Would this be a good thing to do with sessions ?
>
Not to be stupid here, but i don't completely get one thing:
>
Say one can load 5 times in 5 seconds;
>
If someone loads the page at second 1, and then reloads three times
between second 3 and five, this would be 4 loads in 5 seconds. But if
then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
then) 5 seconds, though AFAIK your idea would have "approved" this.
>
How could i fix this?
>
Thanks!

frizzle wrote:
>
>>
>frizzle wrote:
>>Erwin Moller wrote:
>frizzle wrote:
>>
>Hi there,
>>
>I need a function to prevent a page from being loaded too often
>too fast.
>So say, one is only allowed to refresh a single page 5 times in
>10 seconds, or 10 times in 5 seconds (or whatever ... ).
>If the load frequency exceeds that, the site calls exit(); And a
>message is displayed. Just like Expression Engine does ...
>>
>This way i want to protect the DB from being queried rediculously
>often, and maybe even protect it from DDOS attacks.
>>
>I hope it's clear. I don't know where to start ..
>>
>Thanks!
>>
>Hi,
>>
>You have to implement some kind of countingmechani sm when the page
>starts. You can store the timestamp (now) in a database once the
>page runs, and check if it has been accessed more than X times last
>Y seconds. Just build it. :-)
>>
>Of course this check will slow down each request to the page a
>little, but if the load of running the whole page is much higher,
>this may be worth the time.
>>
>Regards,
>Erwin Moller
>>>
>>Would this be a good thing to do with sessions ?
>>
>Not to be stupid here, but i don't completely get one thing:
>>
>Say one can load 5 times in 5 seconds;
>>
>If someone loads the page at second 1, and then reloads three times
>between second 3 and five, this would be 4 loads in 5 seconds. But if
>then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
>then) 5 seconds, though AFAIK your idea would have "approved" this.
>>
>How could i fix this?
>>
>Thanks!
>
Hi,
>
first question: Session.
I was unsure if you wanted to protect against a single user or against
all users.
If you want to protect against a single user loading the page too much,
you should use session, BUT if that visitor wants to circumvent your
sessionlogic, it is easy.
Here is why: If you want to use a session with a visitor you send along
a sessionid with each request and response. The sessionid is stored in
the URL or cookie.
Both can easily be manipulated by the visitor, so this will not really
work.
>
It would make more sense to use the remote IP-address to maximize the
number of requests to your page.
>
Second querstion: How to implement the quota X times per Y secs?
>
just a rouch idea based on IP:
create a table like this:
CREATE TABLE tblrequest(
IPnum text,
lastrequest datetime
)
>
Now above your script do this:
1) Get the remote IP
Use remoteadress, read more here:

>
2) delete from tblrequest ALL requests older than (now - Y secs)
>
3) check if this IP has already exceeded the quota:
Something like:
SELECT COUNT(IPnum) FROM tblrequest
WHERE (IPnum = '<IPnum found in step1>');
>
if the count exceeds X, exit, otherwise continue with the rest of the
script.

>>>Erwin Moller wrote:
>>>
>>>
>>>>frizzle wrote:
>>>>
>>>>
>>>>>frizzle wrote:
>>>>>
>>>>>>Erwin Moller wrote:
>>>>>>
>>>>>>>frizzl e wrote:
>>>>>>>
>>>>>>>
>>>>>>>>Hi there,
>>>>>>>>
>>>>>>>>I need a function to prevent a page from being loaded too often
>>>>>>>>too fast.
>>>>>>>>So say, one is only allowed to refresh a single page 5 times in
>>>>>>>>10 seconds, or 10 times in 5 seconds (or whatever ... ).
>>>>>>>>If the load frequency exceeds that, the site calls exit(); And a
>>>>>>>>messa ge is displayed. Just like Expression Engine does ...
>>>>>>>>
>>>>>>>>This way i want to protect the DB from being queried rediculously
>>>>>>>>often , and maybe even protect it from DDOS attacks.
>>>>>>>>
>>>>>>>>I hope it's clear. I don't know where to start ..
>>>>>>>>
>>>>>>>>Thank s!
>>>>>>>
>>>>>>>Hi,
>>>>>>>
>>>>>>>You have to implement some kind of countingmechani sm when the page
>>>>>>>starts . You can store the timestamp (now) in a database once the
>>>>>>>page runs, and check if it has been accessed more than X times last
>>>>>>>Y seconds. Just build it. :-)
>>>>>>>
>>>>>>>Of course this check will slow down each request to the page a
>>>>>>>little , but if the load of running the whole page is much higher,
>>>>>>>this may be worth the time.
>>>>>>>
>>>>>>>Regard s,
>>>>>>>Erwin Moller
>>>>>>
>>>>>>Would this be a good thing to do with sessions ?
>>>>>
>>>>>Not to be stupid here, but i don't completely get one thing:
>>>>>
>>>>>Say one can load 5 times in 5 seconds;
>>>>>
>>>>>If someone loads the page at second 1, and then reloads three times
>>>>>between second 3 and five, this would be 4 loads in 5 seconds. But if
>>>>>then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
>>>>>then) 5 seconds, though AFAIK your idea would have "approved" this.
>>>>>
>>>>>How could i fix this?
>>>>>
>>>>>Thanks!
>>>>
>>>>Hi,
>>>>
>>>>first question: Session.
>>>>I was unsure if you wanted to protect against a single user or against
>>>>all users.
>>>>If you want to protect against a single user loading the page too much,
>>>>you should use session, BUT if that visitor wants to circumvent your
>>>>sessionlogi c, it is easy.
>>>>Here is why: If you want to use a session with a visitor you send along
>>>>a sessionid with each request and response. The sessionid is stored in
>>>>the URL or cookie.
>>>>Both can easily be manipulated by the visitor, so this will not really
>>>>work.
>>>>
>>>>It would make more sense to use the remote IP-address to maximize the
>>>>number of requests to your page.
>>>>
>>>>Second querstion: How to implement the quota X times per Y secs?
>>>>
>>>>just a rouch idea based on IP:
>>>>create a table like this:
>>>>CREATE TABLE tblrequest(
>>>IPnum text,
>>>lastreques t datetime
>>>>)
>>>>
>>>>Now above your script do this:
>>>>1) Get the remote IP
>>>>Use remoteadress, read more here:
>>>>http://nl3.php.net/manual/en/function.getenv.php
>>>>
>>>>2) delete from tblrequest ALL requests older than (now - Y secs)
>>>>
>>>>3) check if this IP has already exceeded the quota:
>>>>Something like:
>>>>SELECT COUNT(IPnum) FROM tblrequest
>>> WHERE (IPnum = '<IPnum found in step1>');
>>>>
>>>>if the count exceeds X, exit, otherwise continue with the rest of the
>>>>script.
>>>
>>>Oops forgot to mention the obvious:
>>>of course insert it in the table. :-)
>>>
>>>INSERT INTO tblrequest (IPnum,lastrequ est)
>> VALUES ('<IPnum found in step1>','now');
>>>
>>>Regards,
>>>Erwin Moller

>Erwin Moller schreef:
>
>
>>Erwin Moller wrote:
>>
>>
>>>frizzle wrote:
>>>
>>>
>>>>frizzle wrote:
>>>>
>>>>>Erwin Moller wrote:
>>>>>
>>>>>>frizzle wrote:
>>>>>>
>>>>>>
>>>>>>>Hi there,
>>>>>>>
>>>>>>>I need a function to prevent a page from being loaded too often
>>>>>>>too fast.
>>>>>>>So say, one is only allowed to refresh a single page 5 times in
>>>>>>>10 seconds, or 10 times in 5 seconds (or whatever ... ).
>>>>>>>If the load frequency exceeds that, the site calls exit(); And a
>>>>>>>messag e is displayed. Just like Expression Engine does ...
>>>>>>>
>>>>>>>This way i want to protect the DB from being queried rediculously
>>>>>>>often, and maybe even protect it from DDOS attacks.
>>>>>>>
>>>>>>>I hope it's clear. I don't know where to start ..
>>>>>>>
>>>>>>>Thanks !
>>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>You have to implement some kind of countingmechani sm when the page
>>>>>>starts. You can store the timestamp (now) in a database once the
>>>>>>page runs, and check if it has been accessed more than X times last
>>>>>>Y seconds. Just build it. :-)
>>>>>>
>>>>>>Of course this check will slow down each request to the page a
>>>>>>little, but if the load of running the whole page is much higher,
>>>>>>this may be worth the time.
>>>>>>
>>>>>>Regards ,
>>>>>>Erwin Moller
>>>>>
>>>>>Would this be a good thing to do with sessions ?
>>>>
>>>>Not to be stupid here, but i don't completely get one thing:
>>>>
>>>>Say one can load 5 times in 5 seconds;
>>>>
>>>>If someone loads the page at second 1, and then reloads three times
>>>>between second 3 and five, this would be 4 loads in 5 seconds. But if
>>>>then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
>>>>then) 5 seconds, though AFAIK your idea would have "approved" this.
>>>>
>>>>How could i fix this?
>>>>
>>>>Thanks!
>>>
>>>Hi,
>>>
>>>first question: Session.
>>>I was unsure if you wanted to protect against a single user or against
>>>all users.
>>>If you want to protect against a single user loading the page too much,
>>>you should use session, BUT if that visitor wants to circumvent your
>>>sessionlogic , it is easy.
>>>Here is why: If you want to use a session with a visitor you send along
>>>a sessionid with each request and response. The sessionid is stored in
>>>the URL or cookie.
>>>Both can easily be manipulated by the visitor, so this will not really
>>>work.
>>>
>>>It would make more sense to use the remote IP-address to maximize the
>>>number of requests to your page.
>>>
>>>Second querstion: How to implement the quota X times per Y secs?
>>>
>>>just a rouch idea based on IP:
>>>create a table like this:
>>>CREATE TABLE tblrequest(
>>IPnum text,
>>lastrequest datetime
>>>)
>>>
>>>Now above your script do this:
>>>1) Get the remote IP
>>>Use remoteadress, read more here:
>>>http://nl3.php.net/manual/en/function.getenv.php
>>>
>>>2) delete from tblrequest ALL requests older than (now - Y secs)
>>>
>>>3) check if this IP has already exceeded the quota:
>>>Something like:
>>>SELECT COUNT(IPnum) FROM tblrequest
>> WHERE (IPnum = '<IPnum found in step1>');
>>>
>>>if the count exceeds X, exit, otherwise continue with the rest of the
>>>script.
>>
>>Oops forgot to mention the obvious:
>>of course insert it in the table. :-)
>>
>>INSERT INTO tblrequest (IPnum,lastrequ est)
> VALUES ('<IPnum found in step1>','now');
>>
>>Regards,
>>Erwin Moller
>
>Hmm, this kind of overlaps my other issue:
>Login in users. I know there are a lot of topics out there, but none of
>them seem to hive a real answer:
>
>I was told using IP (also with pageloads) isn't safe as some ISP's
>change IP addresses.

>could only be manipulated if you have access to the server ...

>
>Thanks for explaining.

frizzle wrote:

>>Erwin Moller schreef:

>>>Erwin Moller wrote:

>>>>frizzle wrote:

>>>>>frizzle wrote:

>>>>>>Erwin Moller wrote:

>>>>>>>frizzl e wrote:

>>>>>>>>Hi there,

>>>>>>>>I need a function to prevent a page from being loaded too often
>>>>>>>>too fast.
>>>>>>>>So say, one is only allowed to refresh a single page 5 times in
>>>>>>>>10 seconds, or 10 times in 5 seconds (or whatever ... ).
>>>>>>>>If the load frequency exceeds that, the site calls exit(); And a
>>>>>>>>messa ge is displayed. Just like Expression Engine does ...

>>>>>>>>This way i want to protect the DB from being queried rediculously
>>>>>>>>often , and maybe even protect it from DDOS attacks.

>>>>>>>>I hope it's clear. I don't know where to start ..

>>>>>>>>Thank s!

>>>>>>>Hi,

>>>>>>>You have to implement some kind of countingmechani sm when the page
>>>>>>>starts . You can store the timestamp (now) in a database once the
>>>>>>>page runs, and check if it has been accessed more than X times last
>>>>>>>Y seconds. Just build it. :-)

>>>>>>>Of course this check will slow down each request to the page a
>>>>>>>little , but if the load of running the whole page is much higher,
>>>>>>>this may be worth the time.

>>>>>>>Regard s,
>>>>>>>Erwin Moller

>>>>>>Would this be a good thing to do with sessions ?

>>>>>Not to be stupid here, but i don't completely get one thing:

>>>>>Say one can load 5 times in 5 seconds;

>>>>>If someone loads the page at second 1, and then reloads three times
>>>>>between second 3 and five, this would be 4 loads in 5 seconds. But if
>>>>>then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
>>>>>then) 5 seconds, though AFAIK your idea would have "approved" this.

>>>>>How could i fix this?

>>>>>Thanks!

>>>>Hi,

>>>>first question: Session.
>>>>I was unsure if you wanted to protect against a single user or against
>>>>all users.
>>>>If you want to protect against a single user loading the page too much,
>>>>you should use session, BUT if that visitor wants to circumvent your
>>>>sessionlogi c, it is easy.
>>>>Here is why: If you want to use a session with a visitor you send along
>>>>a sessionid with each request and response. The sessionid is stored in
>>>>the URL or cookie.
>>>>Both can easily be manipulated by the visitor, so this will not really
>>>>work.

>>>>It would make more sense to use the remote IP-address to maximize the
>>>>number of requests to your page.

>>>>Second querstion: How to implement the quota X times per Y secs?

>>>>just a rouch idea based on IP:
>>>>create a table like this:
>>>>CREATE TABLE tblrequest(
>>>IPnum text,
>>>lastreques t datetime
>>>>)

>>>>Now above your script do this:
>>>>1) Get the remote IP
>>>>Use remoteadress, read more here:
>>>>http://nl3.php.net/manual/en/function.getenv.php

>>>>2) delete from tblrequest ALL requests older than (now - Y secs)

>>>>3) check if this IP has already exceeded the quota:
>>>>Something like:
>>>>SELECT COUNT(IPnum) FROM tblrequest
>>> WHERE (IPnum = '<IPnum found in step1>');

>>>>if the count exceeds X, exit, otherwise continue with the rest of the
>>>>script.

>>>Oops forgot to mention the obvious:
>>>of course insert it in the table. :-)

>>>INSERT INTO tblrequest (IPnum,lastrequ est)
>> VALUES ('<IPnum found in step1>','now');

>>>Regards,
>>>Erwin Moller

>>Hmm, this kind of overlaps my other issue:
>>Login in users. I know there are a lot of topics out there, but none of
>>them seem to hive a real answer:

>>I was told using IP (also with pageloads) isn't safe as some ISP's
>>change IP addresses.

True.
I heard AOL does that.
But you wouldn't be the first to ignore them. ;-)

And in your case it doesn't matter. If nyou protect your pages based on
remote IP, the fact that these user change IP adresses will not block them.

But I think you have little choice. Since 'protecting' your pages via
Sessions can easily circumvented as I described in my other posting.

Are sessions really that unsafe? I thought they

>>could only be manipulated if you have access to the server ...

Many tricks exist to breach sessions.
I wouldn't say 'session are unsafe' but a little knowledge on their workings
won't hurt to protect yourself.

A few possible problems with sessions:
- session hijacking. Somebody taps in on the internettraffic and sees your
sessionid and use it (while it is still active = not timed out) to gain
access to the server like the real user does.
(This can be blocked by storing the IP number in the session and when it
changes, refuse the request.)
Hijacking can also be blocked if you use safe transport via https/ssl.

- Same server / another user on that server has access to the directory
where the sessions are stored. (Talk with your ISP, or check yourself: can
you see the content of the sessiondirector y? Can you open a random
sessionfile, not belonging to your site, in there?)

- Session fixation
A link is provided on:http://nl3.php.net/manual/en/ref.session.php

I think I would use IP-block scheme in your case, not sessions, since a new
session can easily be started on each request.

Regards,
Erwin Moller

>>Thanks for explaining.