Well, if each person has a different username/password, then you can do it that way (having a server-side indicator of which username is currently allowed).

Alternately, in addition to the username/password, you could have them login to a session and prevent two sessions at once (where some session information is sent with each HTTP request for that user either as a cookie or a CGI parameter).

Pick which of these fits your situation better and then people can provide more details of the many ways to implement something along those lines.

        - tye (but my friends call me "Tye")