Best way to check if user has two instances of website running

I have some ideas ab开发者_JAVA技巧out it but very basic and not complete. I wonder what is the best way to check if same PC/IP is logged with two different users and runs two instances of my website?

If two users have the same IP, they are either

• on the same computer
• in the same household, office or company with a shared internet connection
• in the same Internet café

this is as far as you can get. Reliably detecting whether two sessions are on the same computer is close to impossible, as there is no metric that could help you tell.

If you want to battle fraud, you will need to use different methods.

First, let the server send a unique token (e.g. csrf token) when the page loads and each time the user interacts. Then, let each user interaction (post or request) include this token (and generate a new one).

When you get unexpected tokens from the same IP adress, you apply a second trick: add the mousevent timestamps to the request and log (to the millisecond) the time differences (henceforth dt) between the local server time and the timestamp that came with the token, with a certain error margin for the variation in delaytime.

In the case two instances are running on the same PC, dt will be equal for both unique tokens (that were generated during the most recent interaction or pageloading).

On another physical computer, the chance that the dt is the same (even within the error margin) as on another pc on the same IP adress is extremely small, so that you have a valid way of testing.

you can check the ip-address, user-agent, time-zone, activated plugins... To avoid more than one users logged in from the same computer you can set cookies or transmit a session key on every link. (you have to combine the hash with the ip-address an user-information you get because of copying the link should not log in other users into the account the hash belongs to)