Well, you'd better be able to handle it elegantly if people simply leave the site or close the browser window without "logging out". I'd guess that most people don't bother to explicitly log out, unless maybe if they're doing something super-sensitive like online banking.

That's going to be impossible to handle, and be a nightmare for your inbox.

Let's say I login today with IP *.47. I do a little on the site, and leave without logging out. Tomorrow, I've got a new IP, *.23 and try to login...but you don't let me. There's no way I can get that IP back, or login without emailing you to fix things.

And this WILL happen frequently.

*edit. Though I suppose you could use cookies to determine a unique computer/browser session instead of IP/Agent.

Still, I think it's more hassle then it's worth.

[edited by: Gibble at 2:55 pm (utc) on Sep. 4, 2007]

>> This would prevent somebody from using the same account on different computers or browsers at the same time

why does this matter?

Well, you're all right.

But at the same time, people might share accounts, and that is not a good thing.

No.

Log out people who log in again.

Assuming you use sessions, log the most recent session for a given user. When they log in again, if that session is still active, kill it.

That would make more sense to check for. Watch patterns, if the IP is going back and forth in a single session between two computers, then you have someone likely sharing their account, and you'd need to flag it and monitor it more closely and take action.

But, if you see a pattern, like 9-5 on IP A, and the rest of the time on IP B. Then it's likely the same person...just at work or home.

It really depends on what the site is for and how important security and the integrity of the accounts is.

A lot of sites don't allow two accounts to be logged in at the same time. Some don't care. It isn't a dumb thing to do if your reasoning is sound.

Banks and most anything with financially transactions do it all the time. Same with sites that do Pay-Per-Views and online tutorials.

Most forums sites don't care. I have had an account that was disabled once for security reasons because I had logged in from too many different IPs. My bank asks me 3 questions from a 30 question questionnaire that I had to fill out before I can log in from anywhere that I haven't logged in from previously.

There are lots of good reasons to do this. If yours are good then go for it.

[edited by: Demaestro at 3:29 pm (utc) on Sep. 4, 2007]

I've seen a number of sites which warn you when someone else is already logged in. It's a nice way to say "we know what you are doing... sharing your account IS noticed"...

Why not just time-limit the login?

My bank has no problem with that, and it would not cause any problems, provided you had a page for 'duplicate logger' that said "login denied - you may have you account open on another computer".

Denying access is all very well to deny account sharers - but if you deny access to genuine customers, you will lose them.

But either way it won't stop people sharing logins - they'll just tell their friends that if they're denied to try again later, when the other person has finished downloading (or whatever).

You could go mad trying to avoid the occasional cheat - better to recognise that it's usually a minority - and to factor the cost into your business model.