On Jul 19, 2006, at 4:06 PM, [EMAIL PROTECTED] wrote:
Now, i have a license code stored in a text file on each user's
computer. Of
course it has the expiration date coded in it. I am thinking its
more secure
to have the application "phone home" and get authorization from a
server
system. I would have a database of users, their passwords and their
expiration
dates. Every time they start the program, it would send out some
messages via the
web to access their code and get a "yay" or "nay" if they were
authorized to
run it.
Is anyone doing this? Any examples or ideas?
I had to eat dinner, so I couldn't respond right away.
Basically, you need to use an HTTPSocket to send data to your
server. Then you have a script on your server which accepts the
values sent by the HTTPSocket.Post, does something with them and then
sends back the response which is captured by the HTTPSocket.Post
return value. Finally your app parses the return value and updates
the license code if it is valid.
The basic concept is pretty easy. Implementing the task in a secure
manner can be difficult, and there will always be ways that hackers
could break it... such as cracking the method to always return true
and never actually activating the HTTPSocket. Any steps you take
will *not* prevent a determined pirate, but it will make it too hard
for the average sharer.
I would recommend that you use something like a serial code
(activation code) as the return value from your web server. You can
do something with the USERNAME, DATE, SERIAL NUMBER, HARDWARE KEY
(such as MAC Address), a SECRET CODE and combine them using MD5() on
both the App and the Server side. If the numbers match then the
application is authenticated until the next time you need to do it.
If you want to reject the authorization on the server side, such as
if the username or hardware value do not match the values stored in
the Database, then you can just change the values being hashed with
the MD5 so that the numbers do *not* match.
In order to prevent users from faking the data being set to your
server, it is best to encrypt the data. I have an example of a POST
with encrypted data and interacting with a web server running PHP.
The example is to pass registration information, but it can be easily
modified (minus the window of course) to pass encrypted an
authorization query instead:
http://developer.dreystone.com/phpRegistration.php
The other issue is your HARDWARE KEY. You can use something like the
MAC Address, but you have to remember that the most computers have
more than one network device and more than one MAC Address (such as
Wireless and Ethernet). The MAC Address is probably the easiest, but
you should probably loop through all of the MAC Addresses connected
to the computer for the very first registration period and send them
all. It would make your web server script more complex, but would
reduce errors in rejecting valid users. The MAC Address can be
spoofed, but the average person will not know how to do this or may
not want to. Other HARDWARE KEYS are more difficult to get (maybe
declares) and all have their own weakness and strengths.
Just remember that you do not have to limit the amount of data sent
from your app to the server or the response back. For example, you
can send the HARDWARE KEY as a 3KB string if you feel that much
information is important. You can also expand the keys and return
values with random data to make it less obvious where is the
important data.
Let me know if you have any questions.
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>
