Yes, that feels simple enough, and would work for a small at home BBS.
It gets messy when you have a number of users and need to know why a specific user is sending you 150 requests per min for 3 hours: you'll insta ban that user, but still need to understand what happened. Did they get their login info leak and the whole internet is having a field day with it ? Is it an issue with your system and their browser is stuck in a weird loop ? Are you session management backend going bust and they're actually all different logged users ?
You'll only know if you have the IP, parts of the headers and some more debugging info, and activating the debug after the fact is often not good enough.
It gets messy when you have a number of users and need to know why a specific user is sending you 150 requests per min for 3 hours: you'll insta ban that user, but still need to understand what happened. Did they get their login info leak and the whole internet is having a field day with it ? Is it an issue with your system and their browser is stuck in a weird loop ? Are you session management backend going bust and they're actually all different logged users ?
You'll only know if you have the IP, parts of the headers and some more debugging info, and activating the debug after the fact is often not good enough.