AspNetCoreRateLimit icon indicating copy to clipboard operation
AspNetCoreRateLimit copied to clipboard

Published 20 hours ago verified publisher icon stefanprodan

Question: Can I use both ClientId and Ip rules at same time?

Open lndr-ssantos opened this issue 4 years ago • 3 comments

lndr-ssantos avatar Dec 15 '20 17:12 lndr-ssantos

thinking about the same question... any news about this question ?

bgiot avatar Apr 16 '21 06:04 bgiot

I've just ran into same thing - YES you can (I found out). Probably a good idea to make sure the rules don't overlap - not sure what the behavior would be as you have to add both limiters to the request pipeline and presumably they don't talk to each other IPLimit may hit when ClientId limit doesn't and visa-versa.

My situation - web application with public login form. I was using client ID limiting, but on the login form no one is authenticated, so everyone shared the same limit - which finally (and unexpectedly) shut everyone out from logging in when we hit the weekly quota as usage ramped up.

In our case, our user Id's are email addresses, so another approach would have been to keep using just client limits and implementing a custom resolver that would have returned the client IP address (string) only if the user wasn't logged in (such as on the login page) preventing the sharing of limits without the additional IP address rules configuration.

lacutah avatar May 02 '21 04:05 lacutah

I've just ran into same thing - YES you can (I found out). Probably a good idea to make sure the rules don't overlap - not sure what the behavior would be as you have to add both limiters to the request pipeline and presumably they don't talk to each other IPLimit may hit when ClientId limit doesn't and visa-versa.

My situation - web application with public login form. I was using client ID limiting, but on the login form no one is authenticated, so everyone shared the same limit - which finally (and unexpectedly) shut everyone out from logging in when we hit the weekly quota as usage ramped up.

In our case, our user Id's are email addresses, so another approach would have been to keep using just client limits and implementing a custom resolver that would have returned the client IP address (string) only if the user wasn't logged in (such as on the login page) preventing the sharing of limits without the additional IP address rules configuration.

How did you manage to define both rules (clientid/ip) at the same time?

russia avatar Jul 15 '22 09:07 russia