From kevin.w.wall@gmail.com on September 18, 2014 13:51:20

Disregard previous comment. Won't fix 141.

From eric.cit...@gmail.com on January 03, 2014 06:56:50

Thank you for your reply.

IMHO, hits=1 is a valid value. The way I understand it is that "you can do no more than 1 request in any period of 2 seconds". In other words: you just made a request, fine! now wait for 2 seconds before making another one.

From kevin.w.wall@gmail.com on January 22, 2014 22:45:25

Eric,
Would you like this work to be considered for the ESAPI hackathon contest? If so, please email me ASAP. Thanks.
-kevin wall <kevin.w.wall@gmail.com>

From kevin.w.wall@gmail.com on September 18, 2014 13:49:52

See related issue # 141.

From kevin.w.wall@gmail.com on January 01, 2014 21:25:37

I think that there's an implicit assumption that 'hits' would never be configured to be set to one as that would mean that no request could be made at all within any time period, but you have a valid point for when 'hits' is 2.

I've not yet scrutinized your patch in any depth, but this is also the first time that I've really took anything more than a very superficial look at RequestRateThrottleFilter. That said, your patch is more in line with how I would have written this. I will take a look at it when I get a bit more time. Thanks.