Using Licensing Addon for desktop app?

[Strategerizer]

I understand that for a server-side product, abuse prevention is easily accomplished by controlling Domain and IP, which are arguably unique for the customer. But this would not work for a client-side product. Is there something else I can use instead? I guess our desktop app can generate a unique random number and have validation locked to it. In that case, we would need to, at the very least, control that field label and string type (or add a new field besides Domain, IP or Directory.

 

Here are some thoughts on how I think the licensing needs to be adapted for desktop app protection…

 

 

LICENSE TO REQUIRE UNIQUE SW/HW IDENTIFIER NUMBER

As mentioned above, locking to an IP or domain would not work for a desktop app, to prevent activating multiple product instances on one license purchase. There will need to be something else, that is unique for a specific installation, and that can be checked against. Like a hardware fingerprint from their computer hardware or maybe a randomly generated number from the app itself, generated upon installation. So customer would need to provide that IDENTIFIER and the KEY would then be generated on the server, specifically for that identifier number.

 

 

LICENSE TO REQUIRE CUSTOMER NAME

Licensing to require not only a key but also the name used at time of purchase. So customer will need to enter key and name for license verification. So customers that want to share license with others, will also need to provide their name and that may make them think twice about it. Also, if we detect abuses of a specific license, we will also have the name associated with it. I guess this is not critical but will make someone think twice about sharing the key if their name will need to be explicitly associated with it for validation.

 

 

Situations to be accounted for are:

 

• System to prevent validation from happening if a customer passes their key to someone else

• System to disable expired validations (i.e. when subscription term ends)

• Us to be able to disable validation if abusive behavior noted

• Customer than needs new validation (new computer or installation) to be able to do it themselves, without requiring to contact us for support

• System to invalidate old keys when new keys generated

• Minimize loopholes (e.g. prevent a customer with valid license from generating new keys for others’ unique identifier number, allowing a continuous reset of the grace period… can this be prevented??)

• Dashboard for us to monitor patterns and detect customer abuse (this may be able to address point above)

 

 

Activation workflow would be as follows:

 

1. Customer purchases desktop app from our website, through WHMCS portal

2. WHMCS provides download link for app

3. Customer installs app and unique IDENTIFIER number is generated/displayed for them

4. Customer logs into their account from WHMCS and enters unique number from above (I guess they would enter this instead of entering a domain name or IP address so all we may need to tweak on your functionality is to be able to re-label that field!)

5. WHMCS generates license key

6. Customer enters, in desktop app, NAME and KEY. This will: a) Activate app, and b) Tell app to which account to connect on the server to verify license in future

7. App gets activated for a defined period (e.g. 30 days)

 

 

When app starts, it tries to connect to server and see if Name/Key/Identifier are still valid:

 

• If validated by server, app continues (validation would require NAME/IDENTIFIER/KEY to be correct and payment to be current)

• If denied by server, app stops (and notes that key as invalid)

• If cannot connect to server, a grace period starts (e.g. 30 days + 3 additional app usages) and tracked by app

• If cannot connect to server -and- grace period ended, app stops (and notes that key as invalid)

 

 

So, IF [server denies validation] -OR- [app cannot connect to validate and grace period expires] THEN app notes key as invalid and it cannot be used to activate the program again. Customer with a valid subscription can log into the server and generate a new key (steps #4-6 from above). Note this means that the server should be able to generate a NEW (different) key, even if NAME and IDENTIFIER remain the same. (Otherwise I guess the program may need to generate a new identifier once app fails validation.

 

 

User (or us) should be able to log into the server and do following operations:

 

• Change email address or password associated with account

• Enter new IDENTIFIER (New KEY can then be generated, Older KEY will then be marked as invalid, and Changes emailed to customer)

• Find a log of IDENTIFIERS/KEYS/DATES, requests (including IP address of requester) and possibly other changes to their account (email/passwords) to help identify abusive patterns

 

Is the above business model/workflow supported? OR at least could it be implemented this way using the Licensing Addon?

Edited July 23, 2010 by Strategerizer
Formatting changes

[lcheney]

having this functionality would really seal the deal on the licensing addon as far as i am concerned

[visualtron]

Hi Strategerizer, are you using some sort of hardware id linked registration system? Such as ASProtect?

 

If yes, are you using any form of online system to register your users?

 

I'm asking because I have such a system, but it was made before i used whmcs and as such is not integrated to whmcs.

 

My online system uses a license "activation code" database system - I have generated a long list of unique codes stored in Excel spreadsheet. An activation code gives the user the right to generate a license key online. When the user goes online to generate the license key, he will be required to furnish some information such as company name, username and email address.

 

What I now doing is to manually add their assigned "activation code" to their order (under product custom field), and then manually send an "product welcome" email that will display the "activation code" along with instructions on how to generate the key.

 

There seems to be duplication of work and i am maintaining 2 sets of "expiry date" - one for the order, and another on my original "activation code" database. I am now cracking my head on how to synchronize the 2 databases.

[Strategerizer]

Since this can be a sensitive topic, I just sent you a private message/reply.

[opso]

Since I am interested in the same, can someone please send me some more info?

Thanks, Giuseppe

[Strategerizer]

I ended up having to hire a contractor from Elance, with experience in both PHP and C# to convert the sample implementation code provided by WHMCS (available only to customers that actually purchase the licensing addon) from PHP to C#. He said it was pretty simple to do. He also had WHMCS experience but that really was not required to understand the code and convert it to being used by a desktop up.

 

Then, based on my understanding of how the licensing addon works, I had to develop the business logic appropriate for the desktop app and change some variables being used. So instead of tying the license to a domain name and a installation directory, we tie it to username, email and some unique hardware number (like BIOS or HD serial number). Then you'll have to think also about allowing conflicts or not for each of those variables and if you allow the user to reissue their license.

 

It has not been easy to figure out all the various pieces and how they interact with each other (like the various options that you will have in the WHMCS dashboard and how they affect the behavior of the licensing component on the server). But once you put some time into it to understand it, it starts making more sense. We are happy so far, though we have not deployed yet.

[opso]

The best would be to have a local machine fingerprint (an algorythm generated by hardware's IDs) to check the install together with license code.

New install on a different machine will result in a different fingerprint thus different installation.

How did you override the IP/domain and directory check and putted in place new string to compare?

This is the hardest to do, all the other is quite easy for any programmer

[Strategerizer]

I did not need to do anything special to use hardware number (or any other variable) instead of the IP/Domain. These are just labels for the variables passed to the server and there is no requirement for any particular value for that variable. So just pass what variable value you want.

 

Your variable will still be labeled IP or Domain on the server (maybe you can change some.tpl template file to change this) but that should not be a big issue; YOU will know what the variables actually are.

[alaali]

Hi,

 

Can you please share the C# code to check license?

 

Thanks

[pat_ads]

I did not need to do anything special to use hardware number (or any other variable) instead of the IP/Domain. These are just labels for the variables passed to the server and there is no requirement for any particular value for that variable. So just pass what variable value you want.

 

Your variable will still be labeled IP or Domain on the server (maybe you can change some.tpl template file to change this) but that should not be a big issue; YOU will know what the variables actually are.

 

Hi Strategerizer! I was wondering if you had any more information regarding using the WHMCS Licensing Addon for a desktop app? We're selling a subscription based app written in Visual Studio and I'm not a programmer but am in charge of getting the workflow and practical aspect of licensing drawn up. I selected WHMCS as our billing system and initially thought the licensing app would work - until I started reading up! I wanted to know how successful you were and if you could give me any hints.

[alaali]

Hi Pat_ads,

 

For the license addon, you need to code the check_license function in the language you are using: C# or VB.NET. Then you can do the rest of the things on your code itself.

 

You need some technical knowledge to do this.

[acosaburca_1]

Someone to share the code c# thanks?

[alaali]

I am not sure if WHMCS will allow me to post the check license code in C#. If one from WHMCS can reply to let me know if this is not against the rule then I will prepare the code and add it here next week.

[pat_ads]

Any luck on possibly sharing that code? I'm stuck here and could use the help with our SaaS licensing.

[alaali]

Hi,

 

I already sent the code to Chris from WHMCS. I gave my permission to share code with licensing addon customers. If they don't want to share it for some reason I hope that can give me the permission to share it here.

[pat_ads]

Chris? Any response from you on this?

[pat_ads]

Alaali, since WHMCS is so silent on this issue, and I am DESPERATE for a better solution do you think you can send the code you used with me privately?

[pat_ads]

Thought I would give the thousands of viewers on this thread an idea of what I eventually ended up doing.

 

Our desktop software does a HTTP form-data Post to verify.php of the following: license key and MAC address (which we POST as the ip). We are returned an xml of a bunch of data, but what was missing was the custid and a check for a particular addon we needed to know if the customer purchased. The license check routine verifies the license number and matches the IP (MAC address in our case), which does the trick! We even managed to work in a quick version check scheme by creating an Admin only custom field on the products named "Version", placing the version number in the description box. Our software is returned that number and compares it to what is on file. If the number returned is higher, we prompt the user to upgrade. Sweet.

 

A quick little hook I got from Joe at serverping.net took care of the clientid and addon query - affordably.

 

I was clearly overthinking this and now

[webadpro]

Was this being done in C# or vb.net pat_ads?

[webadpro]

Anyone has the vb.net Version?