locked
limit web api access x per day RRS feed

  • Question

  • User2131089582 posted

    i build dictionary app where the server is using web api asp , and the client build with android, where client can do subscription.
    the app will have feature limitation searching per day,
    so i assume i have to limit client to access web api,
    so if user don't login it will do limitation per day, also user who does not suscribe it will also limit the search feature.
    and for user who has suscribed it will not limit the search feature.

    I have researched to make this feature there, i found the keywod "throttling" to limit web api access here is what i read before
    https://www.radenkozec.com/request-throttling-in-asp-net-web-api/

    but i'm not sure if this will work or no,
    will it limit x searching per day when user don't login ?
    will it limit x searching per day when user don't subscription?
    for user subscribed it should not limit the search feature x per day.

    and i have another idea by tracking using database record where i need the deviceid (android)

    so my table will be like this

    Limitation Table
    Id
    DeviceId
    Counter
    StartTime
    EndTime

    so when user search something on android it will increment the "counter" and when it reachs x, then it will set starttime to current time
    and end time will set to datetime.now.adddays(1)

    But how about someone who login and has suscribed i'm still thinking about this, I hope you can give me and idea or guidance, it is good to use "throttling" or "track to database"?
    Thanks Best regards.

    Wednesday, September 25, 2019 7:50 AM

All replies

  • User475983607 posted

    This is a duplicate thread.  See your previous threads for suggestions.

    https://forums.asp.net/t/2160065.aspx?limit+web+api+access+x+per+day

    If the suggestions did not help, explain why.  Also provide your source code, explain the expected results, and actual results.

    Throttling is related to the application as a whole not individual client so it is not a good fit.  The database approach requires that you identify individual clients.  This can be accomplished by forcing the user to log in or using a cookie.  Again, these subjects are explained in detail in your previous thread.

    Wednesday, September 25, 2019 2:00 PM
  • User2131089582 posted

    Thanks you very much for your response, it's not about code, i'm thinking how it works ? the prototype good way to make something like i described, so what do you think, is it good to use database approach instead of throttling?, i assume to detect the client individual i will use the android device id, can you help me why should not i use throttiling based on my code

    Wednesday, September 25, 2019 2:11 PM
  • User475983607 posted

    Thanks you very much for your response, it's not about code, i'm thinking how it works ? the prototype good way to make something like i described, so what do you think, is it good to use database approach instead of throttling?, i assume to detect the client individual i will use the android device id, can you help me why should not i use throttiling based on my code

    I've expressed my thoughts and recommendation above and the community expressed theirs in your similar thread.   I'm not sure why you keep asking the same question expecting a different response.  

    The best I can recommend is your try your approach and see if it works as you expect.

    Wednesday, September 25, 2019 5:42 PM
  • User2131089582 posted

    Hi there thanks for you response, where is the link you mean with similiar with my thread, i see the link above redirect to my thread ?

    Wednesday, September 25, 2019 10:45 PM
  • User475983607 posted

    Maybe I was mistaken and thinking of another thread.  Anyway, you use a cookie to persist page request counts.  You can also require the user to login before using the site.

    Wednesday, September 25, 2019 11:04 PM
  • User2131089582 posted

    can u give me turorial in web how can i make something like this, best practice to use cookie ?

    Thursday, September 26, 2019 4:39 AM
  • User475983607 posted

    can u give me turorial in web how can i make something like this, best practice to use cookie ?

    This is a state management question.   Every web application has to manage state simply because the web is stateless.  The best practice is picking a state management tool that fits your requirements.

    Cookies are a state management tool and well documented.  The design is very simple.  The cookie contains the request count and the cookie expires in 24 hours.  If the cookie does not exist, create the cookie and set the count to one.   Increment the cookie count value on each request.  If the count exceeds the request limit, redirect to an alert page. The logic can exist in a base controller or an event in the global.asax depending on your requirements.

    Keep in mind, this approach does not stop a savvy user that opens a different browser or deletes their cookies.

    You can learn about cookies in ASP.NET at the following link.  There's also Internet search.

    https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies

    Thursday, September 26, 2019 10:03 AM
  • User61956409 posted

    Hi hocamahdi99,

    You can maintain device id, requests count and request limitations etc information in somewhere (as mentioned, in db table, cookie or cache etc), then to restrict client/device daily requests, you can check if request count of a specific client/device has exceeded the daily request limitations with code logic in filter or BeginRequest event in the global.asax etc.

    With Regards,

    Fei Han

    Tuesday, October 8, 2019 6:40 AM
  • User2131089582 posted

    How about if they are removing the cookies

    Wednesday, October 9, 2019 6:17 AM
  • User475983607 posted

    How about if they are removing the cookies

    A more robust solution is forcing the user to login and storing the access count in a table.

    Wednesday, October 9, 2019 10:43 AM
  • User-474980206 posted

    Using a database (sql or no sql) to tack access makes sense. As the client is an Android app, you will need to decide how to assign the device Id. As long as you write and control the app this is easy. Your web api will still be open to the internet and anyone can call it passing their own made up Device Id. You could have the app use a client key, that is passed to the web api to get a device Id. Then the app would need to be decompile to get access. Be sure to use ssl for the web api.

    Wednesday, October 9, 2019 2:14 PM