Answer the question
In order to leave comments, you need to log in
Confirming and unbinding a license key?
I am making a php application. The user is given a license key to use the application on several domains (let's say 3, it doesn't matter). License verification is performed via http requests.
There are no problems with confirming the license: when installing the application, I make an http request, check the key, if everything is OK, I note on the receiving server that there are 2 installations left.
When deleting the application from the domain, again http request. I note on the server: there are 3 installations left. Give an idea how to check if the http request on deactivation actually came from the same source as on activation, or if it came from manual manipulations.
I came up with the idea to record the IP when activated, and then check whether http came from the same source when deactivated or not. But I'm not sure it's 100% secure.
Added.
There is an idea that when activated, send some kind of automatically generated label. And when deactivated, make an http request with this label. The question is how to store it so that the user cannot recognize it.
Answer the question
In order to leave comments, you need to log in
Multiple domains or multiple servers?
For one domain, it is logical for a user to foresee at least two installations: on a production server and on a test one. The IP is somewhat inappropriate here...
Generally not (in your organization scheme), since a savvy user can proxy requests to your license server from any number of installations.
You can try to obscure the installation and uninstallation process by linking it to some internal system identifiers, registry settings, etc. (in this case you will have 1 install and uninstall request each), but again a cunning user can reverse this. system calls to track and simulate the same environment, explaining to you that repeated activations - it's his Windows that has flown, the disk has died and other noodles on the ears.
If you could deploy the activation technology the other way around, when your licensing server makes requests to user machines (for this, access should be open to them from the outside, either through a firewall or a proxy), then you yourself would control periodic activation requests (for example, 1 time per day) and this could not be bypassed (except for hacking the activation verification process altogether, which by itself is impossible to prohibit, but you can try to make this process unreasonably expensive).
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question