realizing that ultimately people can share their username/password to a for-fee protected web site, we would at *least* like to avoid the possibility that two people could both be logged in at the same time from two different computers. the use of IP address doesn't seem adequate since many users come through a router/proxy running NAT.
any pointers?
How are you tracking people right now? Basic auth? That won't work, since there is no way to log people out.
What you need to do is track sessions with a unique ID in the path info or a cookie. You keep a list of valid session IDs on the server side. When someone successfully logs in as a particular user, you invalidate any other sessions that are logged in as that user. This doesn't actually prevent two people from browsing with the same username, but it will make them keep invalidating each other's sessions, forcing them to log in again on every page. It's an irritation, and a reminder that they are doing something you don't allow.
Of course you could also just totally prevent people from logging in again if there is already an active session for that user, but that will cause problems because your sessions will not get invalidated if a user shuts down his browser or crashes his machine.
- Perrin
