Posted by Dan Tappin on 03/01/05 22:53

What about using a simple session database to ensure multiple logins
are not allowed. You can create a session, store the session ID in
mysql. If the same user tries to login again from a different location
i.e. new session ID you can lock them out / log this activity.

You really can't prevent the shared password issue unless you billed on
a per login basis. The bottom line is that you end up accepting that
you grant access to a user you give up controlling the sharing. You
can only prevent multiple login's which is pretty good. It really does
not matter if two people use the site 12 hours per day or one 24 hours
per day.

You can track IP's to look for suspected sharing i.e. use ARIN / RIPE
look-ups and see if the same user log's in from multiple subnets. I
would think that this would be quite easy with PHP and a MySQL type
log.

Do your best to limit abuse and move on.

Dan T

[Back to original message]