views:

458

answers:

6

Hi,

I have a subscription based website (with a monthly fee) and I would like to prevent users from sharing accounts in order to avoid paying the monthly fee.

Is there a way this can be done?

Cheers,

Mike

+1  A: 

You're pretty much out of luck here, unfortunately. The only potential route you could take here would be checking IP addresses, but this is extremely unreliable for this mechanism.

Erik Forbes
Right. Obviously, you could say "You may only use the server from one IP." This will defeat most account sharing but also piss off a large group of legitimate users.
Matthew Flaschen
+1  A: 

Keep a log of the IP adresses of the account. If it changes quickly and oftenly I think it is safe to assume that the account is used by multiple people.

Peter
I thought most people get allocated a new IP each time they connect through their provider. I don't think this approach will be a good indication of unique users.
paul
@Paul: Your assumption is correct. Our DSL line works that way.
Adrian Grigore
+4  A: 

The approach with IP is not suitable, because there are users that use the same external ip in order to surf the web. But in some cases it's a suitable approach(let's say in an intranet web application for example). You can monitor the number of concurent sessions for the same login. Than one approach would be to log when more than 1 concurent session is present for the same login. Than you may analyse the logs. Base on these data you may take some actions. good luck.

diadiora
Multiple users on the same machine would not work because they don't share cookies. So if the session is cookie based then that would not work.
Martin Murphy
+2  A: 

There is no way of doing this for definite. However, you could add a layer of authentication on top to ask them some form of security questions like date of birth, place of birth, etc.

I would be more reluctant on giving a bunch of people this information!

Penfold
Also dont allow multiple sessions of login, implementing it in the authentication layer!
Khurram Aziz
I would also be reluctant to give this information to a random website.
Erik Forbes
A: 

I haven't heard of someone doing that, so we'll have to think and come up with something.

Log the IP address with account id and activity timestamp. Look for a web service which tells you where that IP is from. Look for connections from the same account on different IPs.

For example, if I have 2 concurrent sessions on the same IP, you can't be sure. Maybe I have Firefox and Chrome open at the same time.

If I have 2 concurrent sessions with different IPs, then you're positive I'm sharing accounts (if this happens often).

If I use, throughout the week, several different IPs, you can't tell, because I'm allowed to use different computers, or use my friends' internet connection when I'm visiting. Even if the IPs are on different countries.

So, I would suggest logging the IP addresses, look for a location service, and test rules written from live data.

DonkeyMaster
+1  A: 

Are you trying to stop multiple people using the same account at the same time or at different times?

You can stop the former by storing a GUID in a user's session and checking it against a value you've set in a cookie. No problem.

You just can't reliably stop the latter. Storing the IP will work to some extent, but most home users are allocated a new IP frequently (as previously stated by another comment). You could use an IP -> Location and check if the location varies frequently.

Unfortunately, savvy users will use a proxy server to defeat this mechanism too.

Mark Worth