Detect Shared Accounts


I have a website that allow VIP user to update a software , in updating environment JavaScript and Cookie is disabled and we can use Server Side scripts

I want to prevent users to Share VIP information , How can I do this ? most of user have dynamic IP

Also we have 1 user , 3 user and 10 user VIP account that means , if you buy 10 user VIP account you can share your account with 10 people and system detect more than 10 people use this account your account will be banned

Usually our VIP users update software 1-2 times per day and update will take 1-5 minutes so it is less likely that one VIP account used Simultaneously by two person

I was thinking once to just destroy other sessions for same user account after login or any activity. You’d have to keep sessions in a db and keep track of session ids associated with user logins. Then just remove other than the current session.

This would log out users if anybody else logs in using same account. If somebody gives out his credentials he basically prevents himself from using the site or it would be very annoying to do so (loging out each other).

The side effect is that one user can’t use his account on two browsers or two computers at the same time, but that could be acceptable.