Any ideas? I'd move this to paid requests, but I don't even know what to ask for as I have no idea if it's even possible.

If you reset the password after a different ip accesses an account that was previously used by another IP you don´t take dial up users into account.
My DSL connection is separated after 24h.
When I am browsing the forum and get disconnected I reconnect immediatly with a new ip.

In that case nearly every day I would need to change my password so I doubt that this would be a good idea.

You could write a script that detects if a forum cookie for another account is already set and if that is the case then notify an admin about possible account sharing.

StarBuG

So you're saying it's impossible to detect account sharing due to dynamic ip's?


I still say it's possible. There are many sites out there that can tell when accounts are being shared by checking IP's.

How about this: check if there have been 5+ different IP's accessing the account within a certain amount of time - say 20 seconds. Unless DSL or dialups switch IP's every few seconds this should work fine.

They can't (under the condition the Users don't have certificates on secure devices).
They can only assume - with a good or bad ratio of false decisions.

This is what you want to avoid > I can login right now as admin...then go down the road to my friends house, find my forum and again without any questions login as admin...so we got two admins on different pc's using the same account doing different things.... hmmmmm don't like that me thinks...so here's an idea >

once a user is logged in and then if another login attempt on the same (logged in account) takes place, a simple check should reveal that if already logged in (as shown on the WOL section) then refuse them at the gate with a "your already logged in mate!" screen.... easy!

-b6

Hmm ... you log in, then you have a line failure and get disconnected after a few seconds.
You dial in again, get a new IP ... and must wait 15 minutes to contine.

Would really p*ss me off.

Also, what about AOL Users?
AOL uses a Proxy Cluster, so every request from an AOL User might come in with a different IP => new Session all the time.

*more problems to add here*

This could work, asuming the account owner could kill the current session. Think IRC and ghosting.

Yeah. But how would you identify if the "Account Owner" is trying to kill the old Session?
The only thing that comes up my mind are shared secrets (if the Users don't have certificates or you can do biometrical identification) - and then we've gained nothing :)

Agreed, that would rely on a second password and it can be shared just like the other one. Users on proxies would also be bad (aol comes to mind).

I'm sure it's possible, but I honestly don't see why it is worth coding because anything you do can be gotton around. If you figure out how to do it all on the server side you are still burning clock cycles that can be better used else where.

This type of problem is best done by humans imho, sure you can only catch them after the fact. But I'd rather do that then turn away possible members because my code thinks they are browsing from two seperate locations. :)

haha kirby you're such a buzzkill. Do you have any ideas for a way that would work, or have any idea how other sites do it?

I don't care if 2 or 3 people are sharing, I just want to stop 10+ people using the same account.