I want to control account sharing. The user account can be only logged into my web application once at a time. I thought of checking IP or browser type but seems not good enough.
What's the best solution?
I want to control account sharing. The user account can be only logged into my web application once at a time. I thought of checking IP or browser type but seems not good enough.
What's the best solution?
The combination of IP address and User agent string should be good enough to unique a user. User agent strings are highly variable. Edit: this assumes you want to allow a single user to be able to view the app in multiple browser tabs / windows from a single location. Is this the case?
IP address alone is not sufficient :
In that kind of situation, I generally use something based on a combinaison of :
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7pre) Gecko/20091221 Ubuntu/9.10 (karmic) Firefox/3.5.6")text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3")ISO-8859-1,utf-8;q=0.7,*;q=0.7")If only on of those is different from the previous request, I consider it's OK ; but if more than 2 or 3 of those are different, it's strange, and it often mean it's not the same user.