Sliding window rate limiter in PHP — more accurate than fixed window
Fixed window rate limiters have a well-known burst problem: a user can make double the allowed requests by sending them right at the boundary between two windows. Sliding window fixes this and is still straightforward to implement without Redis.
The key difference from token bucket: sliding window counts exact request timestamps, not tokens. It is more precise for “N requests per period” semantics but uses more memory per key since you store all timestamps in the window.
Nice writeup. The memory issue you mentioned is real at scale. For 10 req/min limit with 1 million active users you would store up to 10 million timestamps in memory. In practice for distributed systems this goes to Redis with a sorted set, but the in-memory version is perfect for CLI tools, test suites, or single-process applications.
One micro-optimization: instead of array_filter + count, you can use array_splice to remove old entries in-place which avoids creating a new array:
```php blocks are runnable.