Page 1 of 1
PHP Activiation Script
Posted: Mon Feb 06, 2006 3:26 pm
by flippyn5
Hi, I am developing a website package for commercial distribution. I would like to have some sort of activation within the php script so that when people run it, it checks to make sure that they are a legal buyer of the package.
The catch is, I would prefer to have this checking system NOT depend on a database on my own server. The reason for this is, if for some reason my server was down or not working, I still want their site to work. How can I create some sort of activation system without storing serials in a database on my server? Or is that not possible...
Posted: Mon Feb 06, 2006 3:58 pm
by Burrito
you could write to and read from a
flat file.
Posted: Mon Feb 06, 2006 4:17 pm
by flippyn5
I thought about that but what's to stop someone from just creating their own file and fooling the system?
Posted: Mon Feb 06, 2006 4:19 pm
by Burrito
the file would reside on the server in a 'protected' area. Since all of your scripting should be done server side, there would be no way for an end user to upload a 'dummy' file and use it for access....
Posted: Mon Feb 06, 2006 4:20 pm
by flippyn5
How would I put a file in a 'protected area' though? This package will be installed on clients servers and I will have no access to their server settings or the like.
Posted: Mon Feb 06, 2006 4:24 pm
by feyd
The most reliable way I know of is where you take the role of an ASP (application service provider) by hosting the application on your own controlled servers. As long as part of it runs on their machines, it's crackable. And sometimes even run on a server it's crackable too. Unfortunately, this breaks your wish to not require your server being up.
If you store the authentication on their machine/server, it is far easier to crack, even if you use encryption. Granted, if you use strong encryption it may remove the bulk of evil but you run into legal issues like export laws and such.
Posted: Mon Feb 06, 2006 4:25 pm
by Burrito
ahhh....I understand now.
You could set up some kind of activiation system similar to MS where to activate, they have to authenticate a key against something you host on your web site. The only other alternative would be to obfuscate a php file as much as possible and insert keys into a flat file as we discussed using some kind of hash then authenticate their key against the hashed values...
Posted: Mon Feb 06, 2006 4:30 pm
by flippyn5
The whole heart of the project is that it is a website package for them to run on their own servers, so running it on mine is not really an option. I also don't have the capacity for that nor do I wish I did.
The first thing I thought of doing was to have the script check itself against a database on my server each time the script is run. If their number doesnt coincide with the one in my database, the script will not run. But is that fair to the client that their site will depend on my site being up 100% of the time? Now, obviously, the chances of my site being down are very slim, but it's the principle I suppose.
Any thoughts/more suggestions?
Posted: Mon Feb 06, 2006 6:18 pm
by josh
If your script checks each time it's run you're going to have your own server hammered.
The best bet would be to check it and cache the result on the client's server.
If the script cannot reach your server it simply waits a pre-determined amount of time, then re-tries (the cached results of the last validation still allow the application to run while its waiting for your server to come back online). Unfortunately all they have to do then is add an ipchains rule to null route all traffic to and from your IP and your application will just assume that your server is offline and continue to allow their application to run.
Basically what I'm telling is you're SOL, if there were a perfect solution then piracy wouldn't exist, but obviously it does.
Posted: Tue Feb 07, 2006 5:58 am
by Jenk
This should be a bit of a no-brainer, but also ensure you have strong licensing agreements, and records on your end.
This way if you ever do find someone to be using your script when they shouldn't, you atleast have better grounds for a law suit.
The other problem you face is the implementation of the code on their machines.. what is to stop them removing the authentication segment all together?