In other words, how do we prevent two users from using the same password
to access the same account at the same time?
There are a few strategies I'd consider... each has plusses and minuses.
1) Lock to one IP. Keep a table with the most recent IP address, and the
most recent access time. Any
They are all good suggestions, Tim's is probably the most sophisticated,
but it's inevitable that usernames and passwords will escape.
On top of this I'd add a weekly count of user logins, so that the users in
effect buy a given amount of accesses each week.
If you're really serious, you will
