Implementing session-based rate limiting with session storage in JavaScript

21 Sep 2023

rateLimiting

Rate limiting is a crucial technique for protecting APIs and preventing abuse. It sets limits on the number of requests a client can make within a specific time interval. One common approach is session-based rate limiting, where the rate limit is associated with the user’s session.

In this blog post, we will walk through the implementation of session-based rate limiting using session storage in JavaScript. We will leverage the sessionStorage object available in modern browsers to store and retrieve session data.

Prerequisites

To implement session-based rate limiting, you should have a basic understanding of JavaScript and how to use session storage.

Step 1: Initialize session storage

To get started, let’s initialize the session storage by setting the initial rate limit for each session. We will use the client’s IP address as the session identifier.

const ipAddress = getIpAddress(); // function to retrieve client's IP address
const sessionKey = `session:${ipAddress}`;

if (!sessionStorage.getItem(sessionKey)) {
  const initialLimit = 100;
  const currentTime = Date.now();
  const sessionData = {
    limit: initialLimit,
    lastRequestTime: currentTime
  };
  sessionStorage.setItem(sessionKey, JSON.stringify(sessionData));
}

In the above code, we first get the client’s IP address (you can replace getIpAddress() with your implementation). We then check if a session entry exists in the session storage for that IP address. If not, we set the initial rate limit (in this case, 100 requests) and the current time as the last request time.

Step 2: Check rate limits before making requests

Next, we need to check the rate limit before allowing a request to proceed. We will add this check before making any API calls.

function makeApiRequest() {
  const timeout = 1000; // milliseconds (1 second)
  const sessionData = JSON.parse(sessionStorage.getItem(sessionKey));
  
  if (sessionData) {
    const currentTime = Date.now();
    const elapsedTime = currentTime - sessionData.lastRequestTime;
    
    if (elapsedTime < timeout && sessionData.limit > 0) {
      // Proceed with the request, decrement the limit
      sessionData.limit--;
      sessionStorage.setItem(sessionKey, JSON.stringify(sessionData));
      // Make the API request
    } else {
      // Rate limit exceeded, reject the request or show an error message
    }
  } else {
    // Session data not found, handle accordingly
  }
}

In the code above, we retrieve the session data from session storage. We then calculate the elapsed time since the last request and check if it’s within the timeout period (1 second in this example) and if the limit is still remaining. If both conditions are satisfied, we decrement the limit and proceed with the API request. Otherwise, we reject the request or show an error message.

Conclusion

In this blog post, we’ve implemented session-based rate limiting using session storage in JavaScript. By associating rate limits with user sessions, we can protect our APIs from abuse and ensure fair usage of resources. Remember to adapt the code according to your specific requirements and server-side implementation.

#rateLimiting #JavaScript