[SOLVED] How do I implement rate limiting in an ASP.NET MVC site?


I’m building an ASP.NET MVC site where I want to limit how often authenticated users can use some functions of the site.

Although I understand how rate-limiting works fundamentally, I can’t visualize how to implement it programatically without creating a major code smell.

Can you point me towards a simple yet powerful solution for approaching such a problem, with C# sample code?

If it matters, all of these functions are currently expressed as Actions that only accept HTTP POST. I may eventually want to implement rate-limiting for HTTP GET functions as well, so I’m looking for a solution that works for all such circumstances.


If you are using IIS 7 you could take a look at the Dynamic IP Restrictions Extension. Another possibility is to implement this as an action filter:

[AttributeUsage(AttributeTargets.Method, AllowMultiple = false)]
public class RateLimitAttribute : ActionFilterAttribute
    public int Seconds { get; set; }

    public override void OnActionExecuting(ActionExecutingContext filterContext)
        // Using the IP Address here as part of the key but you could modify
        // and use the username if you are going to limit only authenticated users
        // filterContext.HttpContext.User.Identity.Name
        var key = string.Format("{0}-{1}-{2}",
        var allowExecute = false;

        if (HttpRuntime.Cache[key] == null)
            allowExecute = true;

        if (!allowExecute)
            filterContext.Result = new ContentResult
                Content = string.Format("You can call this every {0} seconds", Seconds)
            filterContext.HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;

And then decorate the action that needs to be limited:

[RateLimit(Seconds = 10)]
public ActionResult Index()
    return View();

Answered By – Darin Dimitrov

Answer Checked By – Senaida (BugsFixing Volunteer)

Leave a Reply

Your email address will not be published. Required fields are marked *