That doesn't seem so hard but might annoy users.
Conceptually:
- you need to force the user to log-in. That's obvious and is built-in in ACS. That basically mean that you send a token encoded in a cookie from which you can get the id of the user (user_id)
- then you need to generate a unique session id and encode it in a cookie as well; I don't know if there is any support for this built-in into ACS
When a user logs in you generate session id and insert (user_id, session_id) into a database. Upon (explicit) logout you remove this pair. Upon new login you'll check if there is another session for a given user_id. If not - fine. If yes it means that there are two sessions in progress. Of course it doesn't really mean that the user shares a password. Maybe he logged in at work, didn't log out (explicitely), came back home and logged in from a different computer.
There's also a question: what to do when you detect session sharing. You can silently drop the previous session which is ok for the above scenario (the same person logging on from different computers; he won't even notice). This would annoy the password-sharing scenario because two people couldn't access this paid service at the same time. They could, however, access it if their usage hours are not overlapping. There's no good way to prevent that. You can log the IPs from which any given user logs in and if you detect a suspicious pattern (e.g. he logs from 5 different IPs every day, sometimes from 2 different IPs at the same time) and make a call on banning such user. But you cannot automate that very well.
Also each protection technology has a trade-off: you want to deter the (probably few) bad guys without annoying (probably a majority) of good guys (paying customers). In this particular case the second part will be very hard to achive so overall any effort to protect might not be worth it.
As an side note: it seems like Apple has something like that as part of their developer program (you have to sign up for that and login to get the tools etc.). I just logged in second time today and they detected a second session. I guess Apple went for "silently dropping previous session" since I don't have any problems accessing the site because of that.