Rails: Limiting daily user login count by IP address?

Question

Is there any way to limit a user's login access to only, say, 5 IP addresses daily? Such that if a user account tried to login in the same day from a 6th different IP address, they would be denied. I would like this restriction to reset at the end of the day, however.

If Authlogic doesn't provide a way to track this out of the box, what ideas do you have about how I should implement this? As you can probably tell, I'm already using Authlogic for authentication.

My main goal is to limit my user's ability to share their login with a non-registered user; I know that most people's IP address will change periodically throughout the day because hardly anyone has a personal static IP, but I think 5 is a fair number of allowances, even taking into account that a user may visit my site on their iPhone, or at Starbucks, etc.

Thoughts?

UPDATE: After reading through many of the comments on the link provided by @tadman, I'm thinking that it might be more useful to limit the number of new sessions created on a machine that had none previously instead of by IP address. If I understand how Authlogic works, sessions are a combination of server-side records and a cookie in the user's browser, correct? If I "log out" of my site, the cookie is still there in my browser, is it not? Just with an expired value or something like that. Can I test against that? Such that if a computer that doesn't have that cookie at all I would consider to be a completely NEW login, and I would limit the number of new logins to 5 a day? Would that be feasible approach?

See this user's comments about rate limiting by IP for an angle on what I mean: http://simonwillison.net/2009/Jan/7/ratelimitcache/#c43031

Answer 1

Although you can track this in a database, a more lightweight solution is to track this using Memcached. This allows you to do other things, like limiting login rates and restricting the number of unique IPs a person may visit from over the course of a given time.

The nice thing about Memcached is it will automatically expire records after a specified period of time. With the database-driven approach you will have to do this yourself.

Example: http://simonwillison.net/2009/Jan/7/ratelimitcache/

Answer 2

I'd probably create a table called sessions, which contains ip_address, logged_in_at, user_id. You'd do something like this when a user logs in:

session = current_user.sessions.build(:ip_address => ip_address)
if session.valid?
  session.save!
  redirect_to root_url
else
  redirect_to you_cant_login_url
end

In your session.rb, you'd have

class Session < AR:B
  belongs_to :user
  validate :hasnt_logged_in_a_bunch
protected
  def hasnt_logged_in_a_bunch
    if self.user.sessions.count(:conditions => ['logged_in_at > ?', Time.now.start_of_day]) > 5
      self.errors.add_to_base("You've logged in too many times")
    end
  end

Sorry if this is a bit ugly and isn't valid code, but it should hopefully point you in the right direction.