[mod-security-users] My variable seems to never expire...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I'm new in modSecurity rules and I try to define some rules in my
modsecurity config (NGinx and libmodsecurity 3.0.3 - Debian).

One of these rules is a limit rate rule: I would like to limit users to 20
req/mn on my /api.* . So I define theses :

SecRule REQUEST_COOKIES:PHPSESSID "!^$" \
    "id:400010,\
    phase:1,\
    pass,\
    nolog,\
    setsid:%{REQUEST_COOKIES.PHPSESSID}"

SecRule REQUEST_URI "^/api/" \
    "id:400011,\
    phase:2,\
    pass,\
    nolog,\
    setvar:'session.api_req_counter=+1',\
    expirevar:'session.api_req_counter=60'"

SecRule SESSION:API_REQ_COUNTER "@gt 20" \
    "id:400012,\
    deny,\
    status:429,\
    log,\
    msg:'RATELIMITED',\
    chain"
    SecRule REQUEST_URI "^/api/"

It works: requests are denied! but they are forever. My
variable session.api_req_counter is never reseted.

Could you help me?
Thanks,
-- 
Mikaël,