On Wed, Sep 17, 2003 at 08:39:58AM +0200, Frank Maas wrote:
Ged wrote:
How to avoid multiple logins?
The short answer is: you can't.
Sure you can. Charge $10 per login.
I don't want to clobber the list with non-technical trivia, but
even when you charge money, you can't avoid it. If only there is
one user that is willing to pay the amount twice, your scheme
is broken. As with technical solutions: the higher the amount
you charge, the lesser the risk of people doing it. But the
risk remains...
The only nearly reliable way I have found of doing this is to
impliment a two stage registration process. Normal online
registration with a face to face sales meeting where the account
is activated. This however requires significant investment in an
offline process and backoffice.
On the down side people can always :-
A. Use another legitimate account (Beg, Borrow, Steal)
B. Have another meeting where an actor obtains the new acount details
(Fraud).
In respect to client side cookies this does not help as I will often in
the case of system testing use multiple machines (Unix/Windows) with
multiple browser versions.
Your best be is to use server side token versioning which will prevent
multiple browsers simultaniously using the same login but does not prevent
different logins being used.
Hope it helps
Paddy
