Web Licensing

[Makarov]

Let's go into a scenario..

Let's say you work for this company who want to create this user system software. They want to sell the software and need some sort of license system to stop people from using it without paying it.

How would you go about creating a licensing software with PHP.

No i'm not asking for the code but just methods you may go by doing it.

 

[TimeBomb]

If I had little to no idea as to how to start this 'licensing system', I would google for both ways to do it in general, as well as ways that people have actually done it in PHP. This may or may not include [example] code.
Next, I would google to see how secure or not those ways, which I just found out about, really are.

Thus I would look for solutions, then look for problems in those solutions, then look for solutions to those problems in those solutions.


Anyways, assuming the application is a web app written in PHP, I would create a simple user account system and require people to be logged in, and for their account to be of a specific "is-licensed" type, to be able to access my application.

 

[Makarov]

So you would have a user system on your company's website where they would have to log in to download the application? Now what about if they tried leak it.

 

[TimeBomb]

So you would have a user system on your company's website where they would have to log in to download the application? Now what about if they tried leak it.

Oh, so it's not a PHP/web application?

Then the licensing system should be in the software itself. You can't rely on a website to completely protect an application.

The application should ask for a license key soon after installation. Exactly what happens if they don't enter it relies on if you have a 'free trial' or 'lite' version or none of the above.

When the key is entered, the application can, at that point, either directly query a database or query a website which queries a database, in an attempt to see if the license key is valid or not.
If it is not valid, kick them out of the application (or disable functionality).

What happens when the user has no internet is up to you. To fight user annoyance, perhaps you can require that the application be initially activated over the internet via the license key. After that, it doesn't matter if you have internet or not. But, every time the application starts up, it should try to check if the license key is still valid over the internet.
This will prove useful if you ever need to disable a license key due to piracy or unauthorized sharing or what-not.

The database should, at the very least, also store expiration dates that the application can check against as well. You should store the expiration date in the application whenever possible, so, if they only go on the internet once--to activate the app, then the application will still 'run out' when the license key expires.

In order of using a website to get this information from a database -- just echo out certain data based on mysql queries. Use GET variables to check specific user/application input, ex. validating a specific license key may go to

You must be registered to see links

.

There's a lot you can do, but a company shouldn't expect a PHP developer to handle it all.

What a company should expect is for their application to be leaked illegally over the internet. They should combat that, not combat people trying to illegitimately download their application from their website (which you can attempt to combat via temporary download links).


P.S. Hehe, I have to share this... for anyone trying to secure 'premium' versions of scripts, you should not do it like this (presented below is code from the lite version of a vBulletin plugin by a popular vB plugin developer):

/**
	* Whether we have the pro version or not
	*
	* @public	boolean
	*/		
	public static $isPro		= false;

// Show branding or not
$show['thanks_branding'] = $vbulletin->options['dbtech_thanks_branding_free'] != '<(:{AdvancedThanks.Key|AdvancedThanks.Branding.Free}:)>';

And yeah, it does work as you think it would. Every single one of this guy's plugins follows this practice.

 

[Makarov]

No it is a PHP application.

Think of it like vBulletin or Xenforo for example.

They sell their software and stop unauthorized people from using it with their system. Unless nulled, but they do have people reporting those web sites.

They have a web panel in which licensed users can download the newest software.

 

[TimeBomb]

No it is a PHP application.

Think of it like vBulletin or Xenforo for example.

They sell their software and stop unauthorized people from using it with their system. Unless nulled, but they do have people reporting those web sites.

They have a web panel in which licensed users can download the newest software.

Ah.
vB puts your specific license in every single PHP file.
They have logs of everything. You tell them which site you are putting it on, etc etc.
It also isn't all that difficult to figure out if someone's forum is running vBulletin or not, even through a google search.

They look for websites running nulled scripts, and it isn't all that difficult to find them, I would imagine.

I imagine they could even have an automated bot that searches for nulled scripts.
Google search -> check website to see if it is valid -> if so, maybe they even check the version to see if you are using a version you aren't licensed to use (because your license perhaps ran out several years ago but you are using the latest version), etc etc.

You can't expect people to not share the download. But you can require them to be logged in and validly licensed before being able to download it.

 

[Makarov]

Thanks that helped me a bit. Anyone else have some ideas? :]

 

[EliteGM]

Obfuscate the poop out of your code is all I can think of. Make it difficult as poop for the user to find the licensing code

 

[Makarov]

I did find a obfuscation tool for php that I could use for the licensehandler class.

 

[Mucski]

Whatever you do , people will always be able to download , share , null your scripts , applications. But what you can do is to include the license everywhere in the software as vB does , and than take down sites with nulled scripts and whatever. Most of the webhosts suspend users at first letter you send with proof. And trust me , no one ever made a script that wasn't nulled or leaked , and I don't think that's possible unless they invent something to compile .php scripts , so it becomes un readable by human eyes.

Also if the user doesn't own a paid license , no support , no updates , no forum access , no plugins , and that perhaps would make people buy it anyways.

 

[s-p-n]

Just throw an Open Source license (such as BSD) on it so u don't get sued when it doesn't work. Charge X amount per copy with source code and note in the license that your company should receive X amount from the receiving party (party receiving a copy of the said "software") every time the source code is copied. Offer rewards to hackers who find security vulnerabilities. Update the software frequently, keeping the best software (yours) ahead of every illegal copy. Be kind to your partners, customers and contacts.
Don't be evil.

 

[Ron]

Your only 100% way to prevent source code from leaking and ensuring only licensed users can use your application is using something like ioncube to encrypt and generate licenses for your software. You can lock the software to a server, making the license cause the entire application to fail if the IP address is incorrect.

I use ioncube and love it.

 

[Makarov]

Me and my team have been playing around with source obfuscation, and we've decide on a plan that should keep people from stealing the software illegally. We have decided to obfuscate certain files that are needed for the system to work that will also include license handling so if they remove the file nothing will work, unless they somehow can re-build those needed files themselves (Things happen..).

 

[Mucski]

Your only 100% way to prevent source code from leaking and ensuring only licensed users can use your application is using something like ioncube to encrypt and generate licenses for your software. You can lock the software to a server, making the license cause the entire application to fail if the IP address is incorrect.

I use ioncube and love it.

IonCube can be decrypted , obfuscated files can be de-obfuscated (not by me , I am not a genius) , crackers are usually fired programmers , software engineers , or kids who go to harvard university , and they consider cracking your software "educational". When you make an internet business , piracy is a risk you are willing to take.

 

[Ron]

Of course. There is never a 100% way to prevent piracy and software cracking but ioncube does its job very nicely.

 

[s-p-n]

There is never a 100% way to prevent piracy and software cracking.

^^^^^

You're all wasting your time with obfuscation and trying to prevent illegal copies. Making software inconvenient for the user by adding license keys and all this garbage is just hurting your client-base. If you want your customers to respect you enough to buy your product, allow them to share it and use it as if they own it. The best way to do this is to use a license which says your users can own their copy of your software after paying your company. Whether they get their software from you or a third party, if they're going to pay they're going to pay. If they're going to pirate they're going to pirate- you can't change that by hiding the PHP source code.

I've yet to see a copy of pirated software asking me to pay for it. Perhaps people would if they are given the option to? Instead they label users as rum-smuggling, woman raping, gold collecting sailors- which they are not.

I've been giving away open source software to niche sites for years. I've never been bothered with the idea people may share the software. Instead I've been bothered with phone calls and more work.

 

[Macbeth]

As the previous people has written, no matter what way you will decode or obfuscated the code, there will be people who can decode or obfuscate it. If you really need or want to license it, make sure you license it good and make it automatic so the licensing won't bother the end customer/user in any way.