A simple way is to store the time and IP (or some other information that you feel is the location) in the database when someone logs in and then compare with that when someone tries to log in or access something. If it is within say 15 minutes from the time and it is the same IP then allow and store the new time, if it is within the 15 minutes but not the same IP then deny and if it is after the 15 minutes it is a new login. I think that you get the idea, if not please ask again.

I use a similar technique but I create a session() or set a random cookie. Any future connections (with a different sessionid or cookie value) are forced login. With cookies, you don't have to create artificial time limits unless you want them. If you rely on IP addresses, then an entire school could share a single username/password and you won't realize that they are different since they are all coming from the same proxy. If you do it with cookies, each new person who logs in automatically logs everyone else with that usename out... and it's really frustrating (or even impossible) to use a web site where you have to log in again with every new mouse click.

Yep, use a cookie or session, it makes more sence.

I didn't mean that the user should log in again with every mouse click, I just wanted the check if the user is already logged in with every mouse click. And to update the time until the login disapears as well.

Piranha: Right, I understood that you weren't suggesting that the user should login with every click.

I was saying that by using a cookie solution where every new login has the effect of logging out every other session of that same username, you create a situation where it becomes impossible for two (or more) people to use the same userid because everytime of of them logs in, they log the other person out.

For example, user A buys a subscription to your web site and shares his userid with user B - or maybe posts his username/pass on some web site for lots of people to share. User A logs in, starts doing stuff, and then user B logs in on a different machine. Now when user A tries to do anything, he's been logged out by user B so he has to login again - which logs out user B. So it becomes frustrating, or even impossible, for two (or more) users to share a single login.