Rate limiting in analytics report doesn't work as intended with the same session

XMLWordPrintable

    • 1
    • Severity 3 - Minor
    • 2

      Issue Summary

      This is reproducible on Data Center: (yes)

      The analytics report generation has a rate limit setting that restricts the number of requests that can happen at the same time. The current implementation rate limits on session id, sent through the request headers. However we only limit on unique session id, if the same session id exists in the active sessions map we simply increment it and allow the request. If the same user opens multiple tabs, they will send the same session id, which will bypass the rate limiter.

      Steps to Reproduce

      1. Set max number of concurrent reports to 1
      2. Use JMeter to load test the report generation endpoint
      3. Share the same cookie among threads, which contains the same session ID

      Expected Results

      Should rate limit when the number of requests exceeds the set limit

      Actual Results

      Rate limit not being applied

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

              Assignee:
              Diclehan Erdal
              Reporter:
              Ragan Martinez
              Votes:
              5 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: