Problem with the limit count with POSTS

1 view
Skip to first unread message

Julio Biason

Mar 27, 2009, 12:12:14 AM3/27/09
Hi there,

I just found a problem with rate limit count. A few days ago, my app
(Mitter) started getting weird "always 100 remaining requests
available" all the time. At the time I ignored that.

Today I was trying to get the X-RateLimit-Remaining header and there
was no way to find out why I was not receiving it. Then it clicked:

I added the "since_id" parameter but, due the way Python "urllib2"
module behaves, adding it in the body makes a POST request instead of
GET. Getting /statuses/friends_timeline.json works fine this way but,
because it's a POST, it doesn't count to the limit and the response,
also fine, doesn't return the X-RateLimit-Remaining.

If possible, I'd suggest to keep things this way, but add the
X-RateLimit-Remaining on EVERY request (as it says in the issue) and
count every request unless the url is "/statuses/update".

PS: Before anyone says anything, I found that in the development
trunk; the "exploit" is not in the wild yet.

Julio Biason <>

Matt Sanford

Mar 27, 2009, 11:27:28 AM3/27/09
Hi there,

    As part of the OAuth changes I've been planning start restricting the GET/POST operations some more. If you follow this list you have probably noticed that people using POST in place of GET has been the source of many OAuth errors. If that gets added things like this will break, and as a side effect we will correctly enforce the rate limit. While I admire suggesting we keep it this way, it is a work around to one of the things keep our system performing and one of the protections against DOS (be it accidental or not) so that seems unlikely. I'll ask around but I can't say I'll be holding my breath.

  — Matt Sanford / @mzsanford

Matt Sanford

Apr 3, 2009, 4:33:30 PM4/3/09
to Twitter Development Talk
Hi there,

    I know this is a slightly older thread but it's been sitting in my inbox marked as 'needing attention'. We've been talking about how we can improve communication and a big part of that is warning the list before things go out.  Everybody be sure to thank Doug for keeping on me about that. It's gets hectic around here and I often forget.

    I have the code ready to go out that starts limiting API requests that need GET to GET only. The code has been tested and reviewed so I'm guessing it will be deployed early- to mid-next week. If you're currently using POST for all operations, or for any operations that should be a GET, you'll start to see HTTP 400 return codes with the message "This method requires a GET.". You can find out what method an operation expects on the API wiki: I don't anticipate many apps with problems but better to mention it so you have time to double check.

  — Matt Sanford
Reply all
Reply to author
0 new messages