[eluser]jonez[/eluser]
Create a table that stores activity, log a users IP + user agent hash when they sign in. Any time a user logs in, check that table for activity < 5min ago (or whatever your session timeout is). If you see the same user with a different IP / hash you can block their sign in.