IIS Home @ it-notebook.org

Can I limit the number of concurrent file downloads per user?

(Kristofer Gafvert, July 29, 2006)

Question

I want to restrict the number of concurrent downloads per user to only two. Is it possible to enforce this restriction using IIS?

Answer

The short answer to your question is: No, you cannot do this with IIS. This does however not mean that you cannot enforce such restriction with IIS as the web server; it just means that IIS cannot do it on its own.

In your question, you have two things that are extremely difficult to determine for a web server (any web server, not just IIS):

  • What is a user?
  • Is a specific HTTP request related to another HTTP request? (i.e. are they coming from the same user)

What is a user?

A client connects to the web server and sends a HTTP message requesting a file. This is what the web server sees, a connection from another device (an IP address) and a HTTP message telling the web server what the client wants. There is nothing in the HTTP message (unless added by custom code) identifying a user and making each user unique. Furthermore, the IP address cannot be used to identify a user because many users may use the same IP address (a proxy), and one user may use multiple IP addresses (some proxies work like this).

Is a specific HTTP request related to another HTTP request?

HTTP is a stateless protocol meaning that each request is independent from others (the web server does not need to retain any information about the users between requests). This is another problem making it impossible for a web server to restrict the number of concurrent downloads, because even if the web server could identify the user, it can not know how many files this user is downloading at the same time.

The solution

So what is needed to solve this is something that either extends IIS, such as an ISAPI filter, or a server-side script. As for an ASP.NET solution for this, it could be done by utilizing session state and checking whether the user is already "logged in" and how many files it is currently downloading. That is, the user must be identified, and the number of currently downloading files must be stored so it can be checked upon start of a new request.