A few days ago we were asked by a question: How do you know there is no other using the same account at the same time? This is the question often asked when a website is charging its users by the number of accounts. That is, if two users want to access the website, they have to pay for two accounts, instead of using one shared account.

Also, from the security perspective, web master should have the responsibility to ban multiple users using the same account.

So back to the question: How?

No Solution

Yes. There is no complete solution for the question. There is no perfect way to ban people sharing their accounts.

A basic level of checking

However, it doesn’t mean there is nothing to do against this. One of the most commonly used approach is to keep tracking of the IP and the time-span for each activity of each account. If the same account has different IPs at almost-the-same time-span, then it is a hint to show that sharing of accounts happened.

This solution assumes that the access from two different IP is made by two different user, while access from the same IP is made by the same user.

To break it into more detailed steps, here is the process flow:

  1. When there is a request from a user account, record the IP and the time of the action.
  2. Compare the IP of this action with the IP of the last action of this user account.
  3. If the two IPs of the step 2 is the same, it means the account is used by the same person, the server should response normally.  Otherwise, go through the next step.
  4. Check if the time of the last request and time of this request. If the time difference exceeds a limit (say 10 minutes), it means that the last action has “expired” and the IP of the last action has no use anymore, so the server should response normally. Otherwise, account sharing is happening, do whatever needed to stop this request.

This is only a lowest level of checking to prevent account sharing. Some other additional checking, such as checking of the browser’s User-Agent string, cookies etc., should be accompanied with it.

Also, please be aware that this approach will not work when users accessing the website through a proxy. Some proxies will show a fixed IP while the request may actually comes from different computers. Some proxy will show a varying IP even when the requests are actually coming from the same computer.

We are not experts on web application security, we just tell whatever we think possible. Comments are always welcomed!