As we are talking about a different account, probably on a different IP and client, you cannot easily find out clone accounts.

You can go for two more heuristic and gameplay options

1. As suggested before (by @dqhendricks), divide your resources and implement your sharing etc in such a way that you can t easily help your other account with every new account. Make finding other accounts in the beginning hard/impossible, make shareable resources a higher level feature etc. Downside is that this changes the gameplay, it doesn t have to be desireable.
2. You can perform heuristics on behaviour. There can be specific behaviour that is unwanted: only interaction with 1 other account etc. You could tweak some of the variables etc, but you could easily see suspicious behaviour. Make some sort of balance calculation. Most ingame interactions have some sort of balance. Ofcourse, better players may have a good deal because they know more, or the other way around: they make a bad deal to help smaller players. But when one player only gives and never takes, it s "helping" without acutally playing itself: that might mean it s a clone

Everything with ip-adresses or client-information ($_SERVER) etc is worthless in this case as far as I m concerned..

You could prevent multiple logins on the same Account (username/password).

If the issue is that they make multiple accounts with many different email addresses etc... and new usernames and passwords then you might be able to do it with Cookies for example that use a unique hardware id and then you simple check that not more than one account is active at any one time based on this hwid. if the hardware changes it doesnt matter as it is relative.

To clarify if the HW id for the first login is 1234 then the second login with generate the same hwid. If you check the cookies or your database (doesnt matter where you store it) for the same hwid then you know its already logged in.

If the hardware changes it doesnt matter as they will still both generate the same hwid.

If they use two computers though the haardware id will be different and this will work.

{sharable resources} = {total resources} - MAX(({starting resources} - {spent resources}), 0)

make only non-starting resources sharable, or maybe make sharing resources an ability you don t gain until level x.

Preventing spoofed/duplicate accounts (while ensuring all legitimate accounts work) is a very difficult task -- for reasons laid out by others. In addition to trying to guard against concurrent multiple accounts, one must guard against non-concurrent multiple account usage.

The core issue isn t so much in determining where an account connected from, but being able to trust that a user only has one account -- and to this end the only "real" solution is to use a system which already provides this sort of information, such as a credit card or paypal account ;-) That is, simply prevent someone from creating a new account (although an account can have multiple aliases/profiles, but these can be trivially tracked) unless they can prove "uniqueness".

(Also consider that two people may have two different accounts on the same machine.)

Happy coding.

I run an online game server aswell. To prevent your dilema, either modify the game client to read the MAC Address, and only allow 1 account per computer. Or log the ip s and only allow the resources to be given to that ip twice. 3rd option: Don t allow transfering of materials from the same ip addresses 4th option: Add a timer on the transfering of resources, make them wait 10 minutes of gameplay before they can do anything like getting rid of the items for others to get