Is there any way to limit a user’s login access to only, say, 5 IP addresses daily? Such that if a user account tried to login in the same day from a 6th different IP address, they would be denied. I would like this restriction to reset at the end of the day, however.

If Authlogic doesn’t provide a way to track this out of the box, what ideas do you have about how I should implement this? As you can probably tell, I’m already using Authlogic for authentication.

My main goal is to limit my user’s ability to share their login with a non-registered user; I know that most people’s IP address will change periodically throughout the day because hardly anyone has a personal static IP, but I think 5 is a fair number of allowances, even taking into account that a user may visit my site on their iPhone, or at Starbucks, etc.

Thoughts?

UPDATE: After reading through many of the comments on the link provided by @tadman, I’m thinking that it might be more useful to limit the number of new sessions created on a machine that had none previously instead of by IP address. If I understand how Authlogic works, sessions are a combination of server-side records and a cookie in the user’s browser, correct? If I “log out” of my site, the cookie is still there in my browser, is it not? Just with an expired value or something like that. Can I test against that? Such that if a computer that doesn’t have that cookie at all I would consider to be a completely NEW login, and I would limit the number of new logins to 5 a day? Would that be feasible approach?

See this user’s comments about rate limiting by IP for an angle on what I mean: http://simonwillison.net/2009/Jan/7/ratelimitcache/#c43031