[mod_python] Protecting Web apps from to many simultaneousclicks/Hacking

Michael S. Fischer michael at dynamine.net
Thu May 13 10:40:43 EDT 2004 

Well, one problem with this approach is that the code that decrements the
session counter may never be reached, thus denying service to the user until
manual intervention takes place.

--Michael 

> -----Original Message-----
> From: mod_python-bounces at modpython.org 
> [mailto:mod_python-bounces at modpython.org] On Behalf Of 
> SAiello at Jentoo.com
> Sent: Thursday, May 13, 2004 11:16 AM
> To: mod_python at modpython.org
> Subject: [mod_python] Protecting Web apps from to many 
> simultaneousclicks/Hacking
> 
> Hello All,
> 
> I was curious for ideas on how to protect a mod_python web 
> application from someone submitting/requesting data very 
> quickly repeatedly. An example, I am building an IMAP webmail 
> application. Currently, if I click the view 'next set of 
> messages in email box' quickly over and over again, that 
> seems to spawn a bunch of apaches trying to service all those 
> requests. One problem is that I really don't want one user 
> being able to make my app take up alot of CPU load by doing 
> this. Another is that I am storing the current message 
> position in a session variable, by spawning a bunch of 
> simultaneous requests I seem to be able to keep clicking 
> 'next' above the total number of messages.
> 
> A quick idea of mine to limit one simultaneous request per 
> session, was at the start of the request, create a session 
> variable that would store the total number of requests for 
> that session. Then I could check the number of requests, and 
> if the variable is greater than 1, sleep until it is lower than 1.
> 
> from mod_python import psp
> from mod_python import apache
> from mod_python import Session
> 
> cookieSecret="CisForCookieThatsGoodEnoughForMe"
> 
> def test1(req, **args):
> 	from mod_python import util
> 	from time import strftime, gmtime, time, sleep
> 	sess=Session.Session(req, None, cookieSecret)
> 	if not sess.has_key('REQUESTS'):
> 		sess['REQUESTS']=1
> 		sess.save()
> 	else:
> 		sess['REQUESTS']+=1
> 		sess.save()
> 		while sess['REQUESTS']>1:
> 			sleep(1)
> 
> <Rest of code>
> 
> 	sess['REQUESTS']-=1
> 	sess.save()
> 	return
> 
> Not sure is this is the best/cleanest method. Any Ideas, 
> thoughts, suggestions ?
> 
> Thanks,
>   Steven
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
> 
> 
>

More information about the Mod_python mailing list