views:

103

answers:

2

I want to control account sharing. The user account can be only logged into my web application once at a time. I thought of checking IP or browser type but seems not good enough.

What's the best solution?

A: 

The combination of IP address and User agent string should be good enough to unique a user. User agent strings are highly variable. Edit: this assumes you want to allow a single user to be able to view the app in multiple browser tabs / windows from a single location. Is this the case?

danben
A: 

IP address alone is not sufficient :

  • Several users can have the same IP address (users behind a proxy at work, for instance)
  • A single user can have several IP addresses (that was the case a couple of years ago for AOL users, for instance)

In that kind of situation, I generally use something based on a combinaison of :

  • IP address
  • And several other HTTP headers, like, for instance :
    • User-Agent (for instance, it can be as complex as "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7pre) Gecko/20091221 Ubuntu/9.10 (karmic) Firefox/3.5.6")
    • Accept (for instance, "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
    • Accept-Language (for instance, "fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3")
    • Accept-Charset (for instance, "ISO-8859-1,utf-8;q=0.7,*;q=0.7")

If only on of those is different from the previous request, I consider it's OK ; but if more than 2 or 3 of those are different, it's strange, and it often mean it's not the same user.

Pascal MARTIN