How to limit a form submission rate per user

Question

I am trying to limit a form's submission rate to one per user per 120 seconds.

I was thinking about using a $_SESSION variable, but I'm not sure how that would work, and cookies can just be deleted. I guess a $_SESSION variable could be worked around by an intuitive user just by logging out and back in.

I'm just theorizing at the moment so I do not have code.

How do I get around my problem?

EDIT --

The reason the user would be querying so often is because it is an item and bestiary database. I need to slow down user queries to an acceptable rate because going over the rate of 10 queries/minute or else the application may be "banned" or denied for about an hour.

Answer 1

$_SESSION and $_COOKIE variables could be removed by the user, and are therefore abused by them. You need to store the submits somewhere on your server. Perhaps with MySQL. Then do a check before processing the form.

Something like

SELECT COUNT(*) attempts, MAX(submit_time) last
FROM form_submits
WHERE user_id = ?
AND submit_time > NOW - INTERVAL 2 MINUTE

Then

if ($row['attempts'] > 0) {

    echo "You must wait " . (time() - strtotime($row['last'])) . " seconds before you can submit this form again.";
    return;
}