Best approach to preventing abuse of resource intensive script?

[Axeia]

I'm writing a script that lets a user create a custom graph and at the end of the ride the graph is created via either GD2 or Imagick, depending on if I figure out how to draw a pie slice with imagick.

 

Anyhow, GD2 and Imagick take their toll on the server as they're both quite 'heavy' processes and I'd like to restrict the user to create a graph at most once every 10 seconds. What's the best approach to this, sessions, sessions in combination with cookies, something completely different?

[dbo]

Every 10 seconds period or every 10 seconds per user?

[Axeia]

10 seconds per user, though if it proves to be popular.. once every ~1 second might be interesting as well.

[corbin]

Sessions would be easy for malicious users to circumvent, but they are pretty much your only option unless you want to do it by IP address.

 

 

With sessions it would be something simple like:

 

<?php

 

session_start();

 

if($_SESSION['last_graphed'] >= time()-10) {

    //please wait 10 seconds

}

 

//Somewhere else, you would do $_SESSION['last_graphed'] = time().

[Axeia]

mmh didn't even think of IP addresses, guess that's worth looking into.

 

A real IP address takes a couple of seconds, so that would be a nice way but I've no clue as how long it would take with IP spoofing. But combining it the session bit you just posted it would at least be quite hard to get the server to be make images nonstop not having time for the normal things.

 

Thanks for the help, if anyone else has other/better idea's I'd love to hear them.

[corbin]

It wouldn't be user friendly, but you could of course make people wait 10 seconds before making a graph.  Kind of like rapidshare (or megaupload or so on) does with downloading.  Even if you change IPs or what ever, you still have to wait the time.