How could I limit the number of sessions for a user?

Dear Experts

Is there any way to limit the number of sessions for a user in DHIS2?

Some API users are sending thousands of requests and creating stress on the server. Is there any other alternative?

Hi Hannan

There is to the best of my knowledge no internal way to restrict api usage based on user. The DHIS2 api is fundamentally optimistic in that sense. It will always try to handle the new request, even when it is on its knees :slight_smile:

The only feasible way to protect against this sort of “friendly fire” is to use some sort of rate limiter, typically at the reverse proxy or api gateway. For example NGINX Rate Limiting if you are using nginx.

Note limiting requests per user is not quite the same as limiting number of sessions (many requests can be sent in the same session).

Do you have an idea of who or what these users are and what sort of API requests they are sending? Sometimes, as in the case of very old android apps, the most humane strategy is to simply block the user agents.


1 Like