Source: libcgi-application-plugin-ratelimit-perl Maintainer: Debian Perl Group Uploaders: Jaldhar H. Vyas Section: perl Testsuite: autopkgtest-pkg-perl Priority: optional Build-Depends: debhelper (>= 8) Build-Depends-Indep: libcgi-pm-perl | perl (<< 5.19), perl, libcgi-application-perl, libclass-accessor-perl, libdbi-perl, libdbd-sqlite3-perl Standards-Version: 3.9.6 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-perl/packages/libcgi-application-plugin-ratelimit-perl.git Vcs-Git: git://anonscm.debian.org/pkg-perl/packages/libcgi-application-plugin-ratelimit-perl.git Homepage: https://metacpan.org/release/CGI-Application-Plugin-RateLimit Package: libcgi-application-plugin-ratelimit-perl Architecture: all Depends: ${misc:Depends}, ${perl:Depends}, libcgi-application-perl, libclass-accessor-perl Recommends: libcgi-application-plugin-dbh-perl Enhances: libcgi-application-perl Breaks: libcgi-application-extra-plugin-bundle-perl (<< 0.5) Replaces: libcgi-application-extra-plugin-bundle-perl (<< 0.5) Description: Perl module for limiting the runmode call rate per user CGI::Application::Plugin::RateLimit provides protection against a user calling a runmode too frequently. A typical use-case might be a contact form that sends email. You'd like to allow your users to send you messages, but thousands of messages from a single user would be a problem. . This module works by maintaining a database of hits to protected runmodes. It then checks this database to determine if a new hit should be allowed based on past activity by the user. The user's identity is, by default, tied to login (via REMOTE_USER) or IP address (via REMOTE_IP) if login info is not available. You may provide your own identity function via the identity_callback() method. . To use this module you must create a table in your database with the following schema (using MySQL-syntax, although other DBs may work as well with minor alterations): . CREATE TABLE rate_limit_hits ( user_id VARCHAR(255) NOT NULL, action VARCHAR(255) NOT NULL, timestamp UNSIGNED INTEGER NOT NULL, INDEX (user_id, action, timestamp) ); . You may feel free to vary the storage-type and size of user_id and action to match your usage. For example, if your identity_callback() always returns an integer you could make user_id an integer column. . This table should be periodically cleared of old data. Anything older than the maximum timeframe being used can be safely deleted. . IMPORTANT NOTE: The protection offered by this module is not perfect. Identifying a user on the internet is very hard and a sophisticated attacker can work around these checks, by switching IPs or automating login creation.