anomalizer Wrote:
-------------------------------------------------------

> >Genuine users of specific application - this why
> I though that session
> >should be most reliable way. The other option is
> to limit by IP but
> >AFAIU this is not good in case several users are
> connecting from behind
> >the same proxy. Could you recommend other
> options?
>
> You need some sort of a way to ensure that the per
> user token (in this
> case session id in a cookie) was actually issued
> by you.

The web application which I need to throttle is a php one. I'm not a php coder and only slightly familiar with php - can I assign a custom algorithm to php session id generation?
Also how can I verify the session id inside nginx? Should I write a special verification code in nginx embedded perl?

> The token
> should have the following properties:
>
> * Computationally inexpensive to check if you had
> issued the token
>
> * Computationally prohibitive for others to create
> a token that will
> pass the test above
>
>
> Failure to produce a legitimate toke by the user
> shoudl result in a HTTP
> 403

Now that I think about cookie based limiting again - it's not clear to me how new client connections will be handled, by
the connection/request limiting modules, before the application assigns them a valid cookie?

Thanks