PHP Activiation Script
Moderator: General Moderators
PHP Activiation Script
Hi, I am developing a website package for commercial distribution. I would like to have some sort of activation within the php script so that when people run it, it checks to make sure that they are a legal buyer of the package.
The catch is, I would prefer to have this checking system NOT depend on a database on my own server. The reason for this is, if for some reason my server was down or not working, I still want their site to work. How can I create some sort of activation system without storing serials in a database on my server? Or is that not possible...
The catch is, I would prefer to have this checking system NOT depend on a database on my own server. The reason for this is, if for some reason my server was down or not working, I still want their site to work. How can I create some sort of activation system without storing serials in a database on my server? Or is that not possible...
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
The most reliable way I know of is where you take the role of an ASP (application service provider) by hosting the application on your own controlled servers. As long as part of it runs on their machines, it's crackable. And sometimes even run on a server it's crackable too. Unfortunately, this breaks your wish to not require your server being up.
If you store the authentication on their machine/server, it is far easier to crack, even if you use encryption. Granted, if you use strong encryption it may remove the bulk of evil but you run into legal issues like export laws and such.
If you store the authentication on their machine/server, it is far easier to crack, even if you use encryption. Granted, if you use strong encryption it may remove the bulk of evil but you run into legal issues like export laws and such.
Last edited by feyd on Mon Feb 06, 2006 4:25 pm, edited 1 time in total.
ahhh....I understand now.
You could set up some kind of activiation system similar to MS where to activate, they have to authenticate a key against something you host on your web site. The only other alternative would be to obfuscate a php file as much as possible and insert keys into a flat file as we discussed using some kind of hash then authenticate their key against the hashed values...
You could set up some kind of activiation system similar to MS where to activate, they have to authenticate a key against something you host on your web site. The only other alternative would be to obfuscate a php file as much as possible and insert keys into a flat file as we discussed using some kind of hash then authenticate their key against the hashed values...
The whole heart of the project is that it is a website package for them to run on their own servers, so running it on mine is not really an option. I also don't have the capacity for that nor do I wish I did.
The first thing I thought of doing was to have the script check itself against a database on my server each time the script is run. If their number doesnt coincide with the one in my database, the script will not run. But is that fair to the client that their site will depend on my site being up 100% of the time? Now, obviously, the chances of my site being down are very slim, but it's the principle I suppose.
Any thoughts/more suggestions?
The first thing I thought of doing was to have the script check itself against a database on my server each time the script is run. If their number doesnt coincide with the one in my database, the script will not run. But is that fair to the client that their site will depend on my site being up 100% of the time? Now, obviously, the chances of my site being down are very slim, but it's the principle I suppose.
Any thoughts/more suggestions?
If your script checks each time it's run you're going to have your own server hammered.
The best bet would be to check it and cache the result on the client's server.
If the script cannot reach your server it simply waits a pre-determined amount of time, then re-tries (the cached results of the last validation still allow the application to run while its waiting for your server to come back online). Unfortunately all they have to do then is add an ipchains rule to null route all traffic to and from your IP and your application will just assume that your server is offline and continue to allow their application to run.
Basically what I'm telling is you're SOL, if there were a perfect solution then piracy wouldn't exist, but obviously it does.
The best bet would be to check it and cache the result on the client's server.
If the script cannot reach your server it simply waits a pre-determined amount of time, then re-tries (the cached results of the last validation still allow the application to run while its waiting for your server to come back online). Unfortunately all they have to do then is add an ipchains rule to null route all traffic to and from your IP and your application will just assume that your server is offline and continue to allow their application to run.
Basically what I'm telling is you're SOL, if there were a perfect solution then piracy wouldn't exist, but obviously it does.
This should be a bit of a no-brainer, but also ensure you have strong licensing agreements, and records on your end.
This way if you ever do find someone to be using your script when they shouldn't, you atleast have better grounds for a law suit.
The other problem you face is the implementation of the code on their machines.. what is to stop them removing the authentication segment all together?
This way if you ever do find someone to be using your script when they shouldn't, you atleast have better grounds for a law suit.
The other problem you face is the implementation of the code on their machines.. what is to stop them removing the authentication segment all together?