Comment by TheSheriff on "How can I limit a particular user to fixed number of requests ?"

CommentHow can I limit a particular user to fixed number of requests ?

TheSheriff

Co-Founder, Founder, Entrepreneur & Problem Solver

Jan 20, 2018

Can you elaborate a bit more on your second question? Call? As in webRTC?

The first part you could set a cookie/something in storage to check, or you can keep a DB of IP addresses and check/update requests per IP.

Both aren't a great solution as they can easily be navigated around, so I would suggest requiring users to be logged in so you have associated accounts with requests.

Anand Reddy Rikka

A Continuous Learner and passionate coder

Jan 20, 2018

Thanks, second question is basically how to differentiate whether call is made by user or some kind of program like a for - loop and making continuous calls.

TheSheriff

Co-Founder, Founder, Entrepreneur & Problem Solver

Jan 20, 2018

Not sure that's possible unfortunately. Might be wrong though :)

Chris Armstrong

Full Stack Developer

Jan 21, 2018

The typical way for tracking a user across sessions in a browser is through a cookie, which is automatically sent by the browser on subsequent requests.

However, there is nothing stopping a non-browser client from emulating this process by storing issued cookies themselves and re-sending them on subsequent API requests (cookies are just HTTP headers, after all).

You may be better off approaching this problem from another perspective, and requiring registration with an email address, or authentication with a third-party SSO provider like GMail or Facebook. This means that you still have authentication, but it's harder to "abuse" whatever service you're planning provide given the inherent difficulty in obtaining a new set of unique credentials.

Anand Reddy Rikka

A Continuous Learner and passionate coder

Jan 21, 2018

Chris Armstrong Thank you

Search Hashnode