Rate limit based on session ID

[getub]

I could not find any discussion in the issues on support of session ID for ratelimiting. Wouldn't it be a more suitable parameter rather than IP address. This would especially be useful for visitors that share a common IP address e.g. a corporation.

[jsocol]

You can write your own method to use the session ID as the ratelimit key. key supports callables and dotted paths to callables.

Ratelimiting by session ID provides too little utility to be in the core.

• If the user is logged in, you can use the user ID.
• If the user is not logged in, they can change their session ID at will by erasing or ignoring the cookie.

(Yes, it's possible to spoof IP addresses, but if someone is going to that trouble you have to assume they're willing to ignore session cookies, too.)

I use ratelimit on a site that gets a lot of traffic from schools, who are probably the biggest NAT offenders. This is exactly why ratelimit's default is not to block requests, but to annotate them so you could, e.g., require a captcha. I also mention NAT in the Security Considerations section of the docs.

[getub]

I use ratelimit on a site that gets a lot of traffic from schools, who are probably the biggest NAT offenders. This is exactly why ratelimit's default is not to block requests, but to annotate them so you could, e.g., require a captcha.

What's your strategy to reset ratelimit after captcha is successful ? A view may have more than one ratelimiters, how do you know which one should be reset after the captcha. 1 way is to put the cache key as a POST parameter, but that can be spoofed with little effort. Any other ideas ?

[jsocol]

Honestly my strategy is to fix #36.