Preventing Floods
Like any other web application running on the internet, uniGUI applications can be vulnerable to floods which may lead to a DOS condition (Denial Of Service).
Fortunately uniGUI offers internal mechanisms to prevent unwanted side effects of floods. The most important side effect is creation of many sessions that are not for real users. These sessions consume system resources and may prevent real users from creating new sessions, causing a DOS condition.
To avoid this you can use one or more of the mechanisms below.
Anti Flood prevention per IP address
This feature can be enabled in ServerModule->ServerLimits->AntiFloodPerIP.
This property implements a simple flood prevention mechanism by preventing sessions from being created too fast. The unit for this property is milliseconds.
A zero value means that no flood prevention is applied.
Values greater than zero enable flood prevention. The application keeps track of each IP address and the time interval between creating new sessions. If the time interval between two session creations is less than the value of this property, an exception will be raised.
Example: if this value is set to 1000, each remote IP should wait at least 1 second (1000 ms) before it can create a new session. For a typical scenario, a value between 250–1000 ms is usually sufficient. A value of 250 indicates that no more than 4 sessions can be created per second from the same IP address.
Note that a group of computers in a LAN may share the same external IP address, so when they connect to a remote uniGUI application server it may appear they all come from the same IP. Consider this when adjusting the property value.
Default value: 0 (No anti-flood protection)
For HyperServer clusters this feature should be enabled at HyperServer level. This feature can be enabled in the HyperServer CFG file. See: https://unigui.com/doc/online_help/installing-and-configuring-hyp.htm
Limiting one session per IP address
Enable this by setting ServerModule->ServerLimits->SessionRestrict to srOnePerIP.
When enabled, the uniGUI server will create only one session per connected IP address. If more than one session request comes from the same IP address, the previously created session will be destroyed and a new session will be created. This prevents your server from being flooded with multiple sessions from a single IP address.
Default value: srNone (No restriction)
For HyperServer clusters this feature should be enabled at HyperServer level. This feature can be enabled in the HyperServer CFG file. See: https://unigui.com/doc/online_help/installing-and-configuring-hyp.htm
Limiting one session per computer
Enable this by setting ServerModule->ServerLimits->SessionRestrict to srOnePerPC.
When set, the server will try to allow only one session per remote PC. To achieve this, the server stores a cookie on the client PC and checks it each time a new session is created. This forces each PC to run only one session per browser. However, the restriction can be bypassed by using different browsers on the same PC (for example, one session in Firefox and another in Chrome).
This ensures your server cannot be flooded with multiple sessions from a single PC or browser.
For HyperServer clusters this feature should be enabled at HyperServer level. This feature can be enabled in the HyperServer CFG file. See: https://unigui.com/doc/online_help/installing-and-configuring-hyp.htm
Important: Enabling any of the above features may conflict with the uniGUI stress test tool. The stress test tool attempts to create multiple sessions from the same IP quickly, so during stress testing these features should be disabled (set to 0 or srNone as appropriate).