can I add a quick 2 cents? >> I make a web-service call back the to the CF Server to validate the UUID is a paid customer in the DB.
sometimes the computer that the exe is installed on has no (and may *never* have) internet connection. sure it can be downloaded onto *some* machine that has internet access but there's no guarentee that's the same machine that the app is going to be installed on. how are you going to cater for that? if you say "bad luck" then *please* make this totally clear on your website before a customer downloads your app. better to loose customers at the start than dissapoint them later. just my 2c barry.b On 2/24/06, Patrick Branley <[EMAIL PROTECTED]> wrote: > Thanks for you help guys. > > I think it looks like im on the right track using the GUID. > > cheers > > Pat > > > On 2/23/06, Gary Menzel < [EMAIL PROTECTED]> wrote: > > > > Just taking a few other layers in your idea (of getting the server to > validate the licence key)..... > > > > * Just returning "true" is not "safe" - someone could circumvent your call > to the server through a proxy and just return "true" anyway. You really > need to have the server return a reciprocal hash of the GUID that the EXE > can validate (but even this could be circumvented if someone could work out > your hash algorithm ( e.g. if you just used standard MD5 hashing). > > > > * Alternatively, you send them the GUID - this is an activation code. It > is sent to the server - which returns the REAL GUID as part of the process - > which they then type into the EXE. This is simple to do - just generate 2 > GUID's and store them together (the first is the key to the other). > > > > * Most applications that do a registration like this online ask for some > information to be entered into a web page (Name and Company - for example) > and then provide a GUID that is hashed from those things. You type exactly > the same thing into the application, along with the GUID/HASH - which uses > the same hash algorithm - and compares the result it gets to the one typed > in and unlocks if it is OK. > > > > BUT - it really depends on how secure you want the application to be. > > > > We use a GUID activation method for password resets. The user is NEVER > emailed their login details. They get a ONE SHOT link with a GUID in it. > This page provides them the login details. If they try the link again - it > dies. This is done to prevent email hijacking trojans from mailing your > login details to everyone on your address book. The same concept could work > as a one shot for the application (but you would have to store the GUID and > continue to verify it each time you ran the application). > > > > Lots of solutions MIGHT work - but not all will be suitable. > > > > > > > > > > On 2/23/06, darryl lyons <[EMAIL PROTECTED] > wrote: > > > Well, given that a UUID or GUID is meant to be a "globally" unique > value, then it is a pretty good thing to use a hard to guess string. > However, depending on what you are using, you may get a sequential GUID, > which in theory is able to be guessed.... You could always just hash some > values and use that. > > > > > > Darryl > > > > > > > > > On 2/23/06, Patrick Branley < [EMAIL PROTECTED] > wrote: > > > > Hi Guys > > > > > > > > Just wondering how secure using a CF UUID or SQL GUID as product > activation key would be ? > > > > > > > > Heres my idea for the scenario > > > > > > > > 1. user purchases software, write a record to the DB on payment and > email them the UUID thats generated. > > > > > > > > 2. when they launch the application (an EXE) they must enter the UUID > to have it activated. I make a web-service call back the to the CF Server to > validate the UUID is a paid customer in the DB. if they web service returns > true the application becomes active. > > > > > > > > 3. I store the UUID in either the registry or an XML file in the > installation folder and re-check each time they launch the app. > > > > > > > > The only other thing i can think of doing is actually storing the > hashed version of the UUID in the db and doing a compare to make the db more > secure. > > > > > > > > > > > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie -~----------~----~----~----~------~----~------~--~---
