Not really a PHP nor a MySQL question.
Of course it is possible - just not very practical. Browser fingerprinting
might provide some of the functionality - but is very far from a
complete/accurate solution. What you could try is:
1) only allow 1 concurrent login per user (if it's accessed via the
internet, you can't even assume that a user's IP address will be constant
throughout a session). You'll probably want to tie in the PHP session
expiry with the concurrency control.
2) if it's only running on a LAN, consider usig ident (available for MS too
- see the squid homepage).
3) use a one-time password, sent on request to the (registered) users email.
When they supply that token to a particular page on your site, drop a
long-lasting cookie on their browser which is required along with
conventional methods (username+password) to access the page. This can all
be packaged up in a single URL with a GET query.