Click here to Skip to main content
Click here to Skip to main content

Throttle requests to a .NET MVC action with a custom Action Filter

, 28 Dec 2012
Rate this:
Please Sign up or sign in to vote.
In this programming article I will show you how to create a custom action filter for .NET MVC which will throttle repeat requests.

Overview

In my day job I work for HP Enterprise Security Services, part of my role is building secure and robust web applications which do everything possible to prevent malicious attacks. One of the most simple things you can do in your MVC project is to prevent repeat requests to a page.  This is primarily used in form submissions, for example in the comments box you see on Jambr, I don't want people to be able to repeatedly post to it over and over again, I want to introduce a time limit in-between these requests. Also, there are going to be a lot of places on a typical site you want to limit such behaviour, but don't want to repeat the code everywhere.  This is where custom Action Filter Attributes come in.

Creating an Attribute

Creating a custom attribute is easy, take a look at this piece of code, i'll explain what it does below:
<AttributeUsage(AttributeTargets.Method, AllowMultiple:=False)>
Public NotInheritable Class RequestThrottleAttribute
    Inherits ActionFilterAttribute

    Public Overrides Sub OnActionExecuting(filterContext As ActionExecutingContext)
        'Do some logic in here to decide what is going to happen
    End Sub
End Class
What we're doing here is inheriting from the ActionFilterAttribute, class and overriding the OnActionExecuting method, which is where we will put our logic. I have decorated this class with some attributes of there own, AttributeTargets.Method states that this attribute can only be used on methods, and AllowMultiple states that there can only be one instance of it.

Expanding on the base Attribute

The next thing to do is expand our logic out a bit.  Lets make this attribute as flexible as possible, so for example lets make the amount of time between requests flexible, give the option to either Redirect when an error occurs or simple add an error to the ModelState dictionary. Start by adding some properties to represent our customisable options:
    ''' <summary>
    ''' The amount of time between each request
    ''' </summary>
    ''' <value></value>
    ''' <returns></returns>
    ''' <remarks></remarks>
    Public Property TimeBetweenRequests As Integer = 5

    ''' <summary>
    ''' The name of the object in the ModelState to add an error too
    ''' </summary>
    ''' <value></value>
    ''' <returns></returns>
    ''' <remarks></remarks>
    Public Property ModelErrorName As String = Nothing

    ''' <summary>
    ''' The message to add to the ModelState object specified in ModelErrorName
    ''' </summary>
    ''' <value></value>
    ''' <returns></returns>
    ''' <remarks></remarks>
    Public Property ModelErrorValue As String = "Maximum number of requests exceeded"

    ''' <summary>
    ''' A URL to redirect to
    ''' </summary>
    ''' <value></value>
    ''' <returns></returns>
    ''' <remarks></remarks>
    Public Property RedirectOnError As String = Nothing
So in order to add an error to the ModelState dictionary, we need need the name of the object to associate the error to (of course, this could just be an empty string for a generic error) - this is passed as ModelErrorName, and we also need the message to set - this is passed in ModelErrorValue. If we wanted to redirect instead, we would set RedirectOnError.

Caching and Cache Expiration

Next, we need to customise the OnActionExecuting method to do our throttling.  We need to store somewhere the fact that a given user (lets define a user by their IP address as well as their user agent) has been to the page recently.  I decided to generate a unique key from the information given, and store it in the HttpContext.Cache and set it to expire on a time which is equal to the TimeBetweenRequests parameter of our attribute.   That way on the next request, all we need to do is check for the existence of the same key in the cache.  Take a look at the code below of the OnActionExecuting method:
    Public Overrides Sub OnActionExecuting(filterContext As ActionExecutingContext)

        Dim HttpContext = filterContext.HttpContext

        'Get the details of the path they're requesting
        Dim pathInfo = HttpContext.Request.ServerVariables("PATH_INFO") & filterContext.HttpContext.Request.ServerVariables("QUERY_STRING")
        
        'Get who requested it, get their user agent as well, as multiple people in the same room could be coming from the same IP
        Dim requestedBy = HttpContext.Request.ServerVariables("REMOTE_ADDR") & HttpContext.Request.ServerVariables("HTTP_USER_AGENT")

        'Generate a unique key based on it
        Dim key = MD5(pathInfo & requestedBy)

        'Check to see if that key is in the cache
        If HttpContext.Cache.Get(key) IsNot Nothing Then
            'Reject the request
            If ModelErrorName IsNot Nothing Then
                'Add it to the modelstate
                filterContext.Controller.ViewData.ModelState.AddModelError(ModelErrorName, ModelErrorValue)
            End If
            If RedirectOnError IsNot Nothing Then
                'Redirect
                filterContext.Result = New RedirectResult(RedirectOnError, False)
            End If
        Else
            'Add it to the cache
            HttpContext.Cache.Add(key, New Object, Nothing, Now.AddSeconds(TimeBetweenRequests), Cache.NoSlidingExpiration, CacheItemPriority.Normal, Nothing)
        End If

    End Sub
In case you don't already have code to create an MD5 of a string, here it is, you'll need to import System.Security.Cryptography:
        Public Shared Function MD5(ByVal strToHash) As String
            Dim bytToHash As Byte() = ASCIIEncoding.ASCII.GetBytes(strToHash)
            Dim tmpHash As Byte() = (New MD5CryptoServiceProvider).ComputeHash(bytToHash)
            Dim i As Integer
            Dim sOutput As New StringBuilder(tmpHash.Length)
            For i = 0 To tmpHash.Length - 1
                sOutput.Append(tmpHash(i).ToString("X2"))
            Next
            Return sOutput.ToString()
        End Function

Using the new Attribute

Now that your attribute is complete, all you need to do is implement it by decorating a given method with it. Take these two examples:
    <HttpGet>
    <RequestThrottle(TimeBetweenRequests:=10, RedirectOnError:="/Error/Throttle")>
    Function TestThrottle()
        Return View(New TestThrottleViewModel)
    End Function
This action method will only allow one request per 10 seconds to the url /TestThrottle, before it redirects to an error page. The next example will add the error to the ModelState instead, so you can return to the user on the same page:
    <HttpPost>
    <RequestThrottle(TimeBetweenRequests:=10, ModelErrorName:="Comment", ModelErrorValue:="There is a 10 second wait between posts")>
    Function TestThrottle(ByVal model As TestThrottleViewModel)
        If ModelState.IsValid Then
            Return Content("Thanks")
        Else
            Return View(model)
        End If
    End Function
The simple view model that I have created for the post back contains just one item, "Comment", from there I've created a form using the .NET Html Helpers:
    <% Using Html.BeginForm() %>
        <%: Html.ValidationSummary(True) %>
    
        <fieldset>
            <legend>TestThrottleViewModel</legend>
    
            <div class="editor-label">
                <%: Html.LabelFor(Function(model) model.Comment) %>
            </div>
            <div class="editor-field">
                <%: Html.EditorFor(Function(model) model.Comment) %>
                <%: Html.ValidationMessageFor(Function(model) model.Comment) %>
            </div>
    
            <p>
                <input type="submit" value="Create" />
            </p>
        </fieldset>
    <% End Using %>
The first post back works fine, the second will result in the user being greeted with the error:

Conclusion

I hope this simple tutorial has helped you to think a little about your site security, as well as how to utilise custom Action Filters to reuse code across your website. As always, any questions please ask.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Karl Stoney
Software Developer (Senior) Hewlett Packard Enterprise Security Services
United Kingdom United Kingdom
Senior Developer for Hewlett-Packard Enterprise Security Service.
 
Please take the time to visit my site
Please take the time to visit my other site
Follow on   Twitter   LinkedIn

Comments and Discussions

 
QuestionWill this work across web farms ? PinmemberRobert Slaney24-Jan-13 10:26 
AnswerRe: Will this work across web farms ? PinmemberKarl Stoney31-Jan-13 1:44 
QuestionGood accidental double post protection PinmemberMike Lang7-Jan-13 5:05 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.140826.1 | Last Updated 28 Dec 2012
Article Copyright 2012 by Karl Stoney
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid