HTTP Session Limit

Problem this snippet solves:

Limits total concurrent HTTP sessions to a pre-defined threshhold, allowing those clients with a session cookie to continue once the limit is reached, while redirecting new clients until concurrent sessions are again below the theshhold.

Code :

rule HTTP_session_limit {
 when RULE_INIT {
  set ::total_active_clients 0
  set ::max_active_clients 100
  log local0. "rule session_limit initialized: total/max: $::total_active_clients/$::max_active_clients"
  ;# test cookie presence
  if {[HTTP::cookie exists "ClientID"]} {
    set need_cookie 0
    set client_id [HTTP::cookie "ClientID"]
    ;# if cookie not present & connection limit not reached, set up client_id
  } else {
    if {$::total_active_clients < $::max_active_clients} {
      set need_cookie 1
      set client_id [format "%08d" [expr { int(100000000 * rand()) }]]

      # Only count this request if it's the first on the TCP connection
      if {[HTTP::request_num] == 1}{
        incr ::total_active_clients
      ;# otherwise redirect
    } else {
      HTTP::redirect ""
  ;# insert cookie if needed
  if {$need_cookie == 1} {
    HTTP::cookie insert name "ClientID" value $client_id path "/"
  ;# decrement current connection counter for this client_id
  if {$::total_active_clients > 0} {
    incr ::total_active_clients -1
Published Mar 18, 2015
Version 1.0

Was this article helpful?


  • If the intention is to keep the connections to the pool of servers below a certain threshold, this would work. But I don't see how this would not end up interfering with an active application session if that user happens to return a transaction at a time that it was over the connection limit-- they may get a 'sorry' redirect in mid-session. For most web-based application sessions, it is a series of transactions where each transaction may be in a separate connection.


  • Hi @brad


    From your comment, Is active session will get interfere ? because active session will have existing session cookie "ClientID" and then they will continue using application normally even though $::max_active_clients is reach .


    I want to using this but still not sure if it will working.


  • you are correct they have a ClientId cookie and will not drop a user. But this code seems to be more of a connection count limit and not a session count limit. A session spans multiple HTTP_REQUEST / HTTP_RESPONSE&CLIENT_CLOSED. Since it decrements the counter at close it makes it available for others even though this user still has a session active (a cookie active).


    There are a couple other articles that I feel accomplish the session limit. I adapted one.. but look at:


  • I lookup irule in your comment. Why It's look like the same as this irule? (have same client_closed event with delete table = this irule decrement counter)


    ps. I'll comment more in those link instead to not confusing.