posted 13 years ago
Sounds like maybe a case for javax.servlet.http.Cookie
When they first visit, or download, set one and store IP address and maybe some other values for identification as well.
Of course, this won't prevent them from simply clearing the browser cookie cache or changing IP's between download attempts, but if they do not require a user id, there is only so much that can be done I think.