What is the best way to prevent users from sharing session cookies in Rails?
I think I have a good way to do this, but I would like to run it from behind to see if there is an easier way.
Basically, I would like to determine if someone is trying to share a paid membership with others. Users are already browsing at the time of logging in to log in from too many different subnets, but some of them tried to get around this by exchanging session cookies. What is the best way to do this without tying the sessions to IP addresses (many legitimate people use rotating proxies).
The best heuristic I have found is # subnets of class B / Time (some internet providers use rotating proxies on different classes of C). This created the least false positives for us, so I would like to stick with this method.
Now I am thinking of applying a filter to each request, which keeps track of which subnets and session_ids the user has used in memcached, and applies a heuristic to this to determine if the cookie is shared.
Is it easier or easier to implement ideas? Any existing plugins that do this?
source share