Validating user computer for website login

Question

Here is our scenario...

We are developing a website with paid membership. Our client does not want our users to take one paid membership and share this details with their friends so that other can also use this website. So he wants to limit the login to the registered persons computer.

Our client is ready to have the all users install some plugin or application after registration. Something like a video plugin for gmail video.

Ideally we want webiste login to initiate this application so that it can cross check the MAC address or some other unique information to make sure that user is logging in from a registered computer. Please let me know if this is feasible

Also if you have any other suggestions to achieve this goal, please let us know about that too

Thanks in Advance

Answer 1

Forget it. There is no sane way to do this without writing custom plug-ins for every browser. That would be an insane amount of work and a privacy nightmare to boot.

No paid service I've ever heard does this, and there are good reasons why they don't.

That said, proprietary media services do this all the time: for example, iTunes allows its content to be played on (IIRC) 5 machines max. And no one will give away their iTunes credentials to a friend, because you can buy stuff with them. Maybe your service can piggyback on iTunes or another similar service. They have already invested the insane amounts of money and time necessary to build proper DRM.

But most likely, your client needs to be told that it's an unrealistic requirement, and that they should provide their service the normal way, like everyone else does.

Answer 2

Actively requiring something like this of your users is a good (and darn near guaranteed) way of losing all of those users.

Best you can do is check passively, logging IPs over time. Maybe limit their login to 5 IPs in 24 hours, but then you'd also have to give exception for mobile IPs.

Basically, it's a nightmare; don't do it.

Answer 3

Do you have a way for a user to login from their multiple computers/tablets/phones? Users need to be able to register multiple devices.

Take a look at how Apple accounts work in iTunes. They allow users to authorize up to 5 computers at a time, which means that although a user could share their account with a friend, at least it's limited to 5 people. On the plus side, one user could authorize their account on their home computer, work laptop, desktop, etc.

Another idea is to only allow 1 simultaneous login at a time. That way, if a user shares their account with a friend, they can't be logged in while their friend is also logged in. This is a good deterrent for people to not share their accounts. However, constantly re-logging in would be annoying for people who legitimately want to be logged in on multiple devices.

Answer 4

For mobile users you can develop mobile APP, then you can easily control the number of users logged in with a device based on EMEI or something. for non-mobile users, easier way than plugin is providing the users with browser extensions and based on that extension, limit the number of connection to the accounts.

Answer 5

I would suggest using a browser cookie that holds a unique session id when a user logs in and tracking the sessions at the back end server. Eg

User[joe@foo.com] =  {
    Session[1] = 1234;
}       

When user joe@foo.com logs in from another device, you would have

User[joe@foo.com] =  { 
    Session[1] = 1234;
    Session[2] = 4567;
}

at which point you terminate Session[1] or send a message to Session[2] to log out of Session[1].

Tracking IP or MAC addresses in not a good solution. Since it is a web based app, the IP addresses will change if the browser is on a smartphone or the user has a dynamic IP. IP addresses are the public facing addresses and often devices are behind routers/firewalls that do NAT. Also, there is the possibility of tablets and other devices accessing the web app.

I think once users realize that login sessions are tracked, they learn very quickly not to do it.

You could make this a feature so that if a user wants a multi-user account, eg a five user account, you could offer it at a slight discount and it would be a win-win for all.