I'm assuming you're talking about a free service? I can't think of any ways that don't either have serious drawbacks or would be trivial to defeat. Things like setting a cookie, requiring a unique e-mail address are easy to defeat.
Requiring a unique IP address is not foolproof but might work to some degree, up to the point that you have lots of users and get complaints from people behind proxies.
The best ways are to charge money or require people provide some kind of personal information, like real name/phone/address that you verify, or a CC number, but that's invasive (then again maybe you only want serious users who are willing to provide this sort of info).
I guess I would turn the question around and ask "Why don't you want to let people have multiple accounts?"
There may be some other ways of mitigating whatever your underlying reason is, i.e. if you're worried about lots of orphaned blogs you could scan for a period of inactivity and disable them or at least schedule them to be looked at by a human. If you're worried about spam blogs you could periodically scan all blog content for spammy stuff. If you're worried about bots and are using some generic software like WordPress, change the names of the form variables and otherwise protect your forms from bots.
Definitely think of other ways of dealing with the problem, because you are not going to be able to block people from registering multiple accounts if it's a typical free service like Blogger.
As for detecting multiple accounts by one person, the first thing you need to do is have a log file store complete data on every user login (username, timestamp, IP, user-agent etc.), that you can then analyze later. I'll list a few things to look out for, but just by poring over the log file you will likely discover other patterns. Some ideas of things to look for are:
- Set a tracking cookie (i.e. random hash) and log its value on login, look for multiple logins from the same cookie value
- Logins from same IP address/user-agent combination
- Logins from same IP address only (less reliable than the previous two bullets)
- Accounts with email addresses from free webmail services (Gmail etc.)
- Accounts with same password
If you're worried about spam blogs, you could try doing some analysis of blog content, i.e. extract all the <a href>s and look for correlations between blogs. You could run the blog content itself though something like SpamAssassin or otherwise filter for spammy words like "viagra" and "rolex."
Best Answer
If I would implement such a system, to have only one signon per user or something like that I would do something like this:
1: create an ID of the machine, based on IP, maybe using JavaScript/Java Applet/Flash you can get MAC or I don't know what things in consideration. For simplicity let's say I compute the host ID like this:
2: User1 log in and let's pretend I computed host ID = 666. WE look up a table in DB let's say table_hosts that containt this data (user, host_id)
3: User1 used all 5 downloads (keep track of them using session or records from database)
4: User1 try to login as User2 and now we compute the ID = 666, the same ID = 666, we lookup out table_hosts and find out that the same host ID was used doring that day by User1 too. Now we can ban the accounts with that ID, give warnings like 20% until ban etc
Hope I could help, but remember be creative, that's all that matter!
LE: Because others put in discussion shared machines the ID may be calculated like this:
But this have it's disadvantage too, the abuser may create 2 or more accounts on it's machine. Anyway I repeat be creative and yeah we should not forget that any lock can be lock picked.