I am looking for a way to prevent my web site users, who sign on with a pair of username passwords after their registration, from logging in from multiple computers. Actually i am looking for a way to register the computers that the users log on from and prevent them to give their username,passwords to eachother. I found out that in asp.net and actually in all websites programming languages, it is not possible to detect the mac address of the client's network card. Meanwhile things like browsername and ip address which can be detected via httpcontext.current are not usable for me because most of the users have dynamic ips. Also i want something more strict than the computer name because it is not something unforefitable.
Please guide me what solutions i can use without involving hardware token based solutions. Thank you.
About the best you can do is to record (likely in a database or in-memory cache) when one user is logged in with a timeout and then update the timeout on each request. Then, dissalow that user to log in while the "isLoggedIn" value is current (ie. hasn't expired). You should also expire the timeout on an explicit logout.
In theory, you could also expire the timeout in the sessionExpire event, but we've noticed that event isn't particularly reliable, and we wanted a shorter timeout, hence using our own timeout scenario.
For more stringent securities, you can also stash the session ID, and a browser fingerprint if you feel so inclined, along side the timeout to combat users who get in between your timeout and the session timeout.
In the long run, however, there isn't really any 100% secure way to keep users from sharing accounts. About the best you can do is try to limit the "duplicate user" scenario to make it painful for them to have the same account logged on more than once at the same time.
Lastly, just as a side-note, a dynamic IP doesn't typically change that often (unlikely to change within an application session), so you may be able to leverage that as well in a fuzzy fashion.