Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Y
Y
Yan Aleksandrov2019-08-30 11:12:24
User identification
Yan Aleksandrov, 2019-08-30 11:12:24

Confirming and unbinding a license key?

I am making a php application. The user is given a license key to use the application on several domains (let's say 3, it doesn't matter). License verification is performed via http requests.
There are no problems with confirming the license: when installing the application, I make an http request, check the key, if everything is OK, I note on the receiving server that there are 2 installations left.
When deleting the application from the domain, again http request. I note on the server: there are 3 installations left. Give an idea how to check if the http request on deactivation actually came from the same source as on activation, or if it came from manual manipulations.
I came up with the idea to record the IP when activated, and then check whether http came from the same source when deactivated or not. But I'm not sure it's 100% secure.
Added.
There is an idea that when activated, send some kind of automatically generated label. And when deactivated, make an http request with this label. The question is how to store it so that the user cannot recognize it.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Adamos, 2019-08-30
@Adamos

Multiple domains or multiple servers?
For one domain, it is logical for a user to foresee at least two installations: on a production server and on a test one. The IP is somewhat inappropriate here...

Report
R
rPman, 2019-08-30
@rPman

Generally not (in your organization scheme), since a savvy user can proxy requests to your license server from any number of installations.
You can try to obscure the installation and uninstallation process by linking it to some internal system identifiers, registry settings, etc. (in this case you will have 1 install and uninstall request each), but again a cunning user can reverse this. system calls to track and simulate the same environment, explaining to you that repeated activations - it's his Windows that has flown, the disk has died and other noodles on the ears.
If you could deploy the activation technology the other way around, when your licensing server makes requests to user machines (for this, access should be open to them from the outside, either through a firewall or a proxy), then you yourself would control periodic activation requests (for example, 1 time per day) and this could not be bypassed (except for hacking the activation verification process altogether, which by itself is impossible to prohibit, but you can try to make this process unreasonably expensive).

Similar questions
A
Alan Chernov2016-02-01 01:27:59
How to make authorization on the site using a question? 2Reply
M
Maxim2013-06-19 14:32:45
Three domains, three Facebook apps, one authorization? 1Reply
V
Vadim Leven2018-06-19 19:24:20
How to implement authorization on the site through VKontakte with permission to send notifications from the group? 1Reply
M
Mark Ivanych2016-02-05 10:09:48
Spring Security: how to authorize a user without a password? 0Reply
M
My-MyGovoritKorovka2016-02-08 12:26:22
pam_tally counter? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question