You can save the ip address, user id or login and last time of logging in to your app into database and check against it when some user logs in.
If user logs in, you store his/her ip address, id/login and last time of logging in to the app into table. If an attempt is made to login third time from the same ip address you reject it.
When user logs out you remove the record from the database.
You need to be careful with situations when user session expires automatically but the record is in the database.
In order to avoid that you can set permanent session to True (session will not be destroyed even if the browser gets closed) and set its duration to a fixed amount of time - let's say 48 hours. Then you can create a procedure which will run periodically in your db and check the last time of logging in and the duration of the session. If the difference is more than 48 hours, it deletes the record from the database.
You should also take into account whether your ip addresses are static or dynamic. With static ip addresses it should be much easier. With dynamic - it depends on how often they change, but definitely it will be more complicated.
Before a user logs in you can get his/her ip address this way:
from flask import request
@app.route('/login', methods=['GET', 'POST']):
def login():
ip_address = request.remote_addr
# Check the ip_address and how many sessions are bound to it
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…