You could set a long-lived cookie in the visitor's browser when they first sign up for access to the controlled area, and only allow them back in if that cookie is present, but it's a less than satisfactory solution in my opinion.

There are many reasons why a cookie could be 'lost' from the visitors browser - a manual clear-out of cookies, the browser only being able to keep track of a certain number of them, or even a hard drive format / OS reinstall. You'd have to come up with a way of allowing members to get a new cookie if they lost theirs, which may end up being more trouble than it's worth.

Real life case: I once signed up for an online banking service that relied on cookies. About once every couple of months I had to reapply by post for a new access code, as the cookie had disappeared for one reason or another. It got to be such a pain that I ended up leaving the bank.

Aus_dave, using a cookie as your access control tool could be tricky for the reasons that sugarkane points out. Nevertheless, if you used a cookie to identify users and made them sign in, you could track user logins vs. cookies - if you had more than a couple of cookies showing up for one user (e.g., home and office, or laptop & desktop), that could be a flag for further investigation. I.e., if a particular user is showing up with 10 cookies (or no cookies, and a bunch of different ISPs), that would indicate possible distribution of access info.

Finding simultaneous usage from different IP addresses for the same user might indicate fraud as well. Overall, I'd say that very limited fraud (e.g., I tell one friend) might be pretty hard to detect. Anything major, though, should create some detectable patterns.

Thanks for your replies, you have given me some ideas to investigate further. Nothing is foolproof by the look of it ;).