Reputation: 18065
How do I implement rate limiting in an ASP.NET MVC site?
I'm building an ASP.NET MVC site where I want to limit how often authenticated users can use some functions of the site.
Although I understand how rate-limiting works fundamentally, I can't visualize how to implement it programatically without creating a major code smell.
Can you point me towards a simple yet powerful solution for approaching such a problem, with C# sample code?
If it matters, all of these functions are currently expressed as Actions that only accept HTTP POST. I may eventually want to implement rate-limiting for HTTP GET functions as well, so I'm looking for a solution that works for all such circumstances.
Upvotes: 23
Views: 28143
Answers (3)
Reputation: 5042
.Net 6
Check it out:
Nuget: https://www.nuget.org/packages/DotNetRateLimiter/
It is simple:
[HttpGet("")]
[RateLimit(PeriodInSec = 60, Limit = 3)]
public IEnumerable<WeatherForecast> Get()
{
....
}
And even you can control request by route or query parameters:
[HttpGet("by-query/{id}")]
[RateLimit(PeriodInSec = 60, Limit = 3, RouteParams = "id", QueryParams = "name,family")]
public IEnumerable<WeatherForecast> Get(int id, string name, [FromQuery] List<string> family)
{
....
}
Upvotes: 3
Reputation: 39807
Have a look at Jarrod's answer on how they do this on SO.
Some example code as well as explanation on how it works.
Upvotes: 5
Reputation: 1038780
If you are using IIS 7 you could take a look at the Dynamic IP Restrictions Extension. Another possibility is to implement this as an action filter:
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false)]
public class RateLimitAttribute : ActionFilterAttribute
{
public int Seconds { get; set; }
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
// Using the IP Address here as part of the key but you could modify
// and use the username if you are going to limit only authenticated users
// filterContext.HttpContext.User.Identity.Name
var key = string.Format("{0}-{1}-{2}",
filterContext.ActionDescriptor.ControllerDescriptor.ControllerName,
filterContext.ActionDescriptor.ActionName,
filterContext.HttpContext.Request.UserHostAddress
);
var allowExecute = false;
if (HttpRuntime.Cache[key] == null)
{
HttpRuntime.Cache.Add(key,
true,
null,
DateTime.Now.AddSeconds(Seconds),
Cache.NoSlidingExpiration,
CacheItemPriority.Low,
null);
allowExecute = true;
}
if (!allowExecute)
{
filterContext.Result = new ContentResult
{
Content = string.Format("You can call this every {0} seconds", Seconds)
};
filterContext.HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
}
}
}
And then decorate the action that needs to be limited:
[RateLimit(Seconds = 10)]
public ActionResult Index()
{
return View();
}
Upvotes: 39
Related Questions
- Best way to implement request throttling in ASP.NET MVC?
- Request Rate Limiting in IIS by url
- AspNetCoreRateLimit .NET Core 3.0 - How rate limiting can be implemented based on user claim?
- What is the best way to implement a rate-limiting algorithm for web requests?
- Client-side request rate-limiting
- How to use a throttled API without hitting limit?
- How to limit requests number to an Action in period of time
- How can I throttle CPU usage for a website in IIS 7?
- Calls-per-day rate limiting in ASP.NET MVC 3?
- Rate Limiting with ASP.NET and the global.asax