If it is login based, you can issue the user an ephemeral token when they login, and tie *that* to a specific IP address. It expires after a time period or logout..whichever is first.
When the user logs in next, a new token is generated and issued.Nothing would ever prevent someone from giving their friend their account (hell, if you give your friend your bank card and a pin number..they can use your bank account too. lol). They just wouldn't both be able to use it at the same time.
I've got the 'ephemeral token' (:P) that you speak of, all nicely rigged up in my code I guess I'll just have to cope with either limiting people to a single IP or applying the 'no two people at the same time' rule that you two speak of.
]]>Nothing would ever prevent someone from giving their friend their account (hell, if you give your friend your bank card and a pin number..they can use your bank account too. lol). They just wouldn't both be able to use it at the same time.
]]>