views:

269

answers:

5

If I enforce a licensing restriction on my application,say the first time the application runs,then should my application check the restrictions (could be a encrypted license file) each time? How do you design this part? What is the best way? Basically I would like someway to save CPU cycles somehow(encryption means decryption blah blah ).I hope you understand my concern.

+1  A: 

This really depends on how you want to handle it in your application, and what type of action you want to take for the user.

if you only check on the first load, you are going to need to store the success/failure of the validation somewhere, so that your application knows if it is legit or not. This then becomes a concern, as you need to validate that your system is the ONLY thing that is actually storing/updating that information source.

Mitchel Sellers
So on first run If I save that 'ok I found a valid license with all the data I need to get running for 10 users' then next time I would not need to mmm...
abmv
Yes, and as long as you save that in a secure fashion, my preferred method is a signed, encrypted XML file...works like a charm.
Mitchel Sellers
+1  A: 

Depends on what kind of application it is.

If it's a desktop application, once the license key is verified...you can set a bit somewhere to let your software know that it is running in licensed mode. Make sure the bit is somewhere outside of the application folder (that way if somebody straight copies your app to another machine, your software will know it's no longer licensed).

If you're trying to do a web app, an encrypted license file somewhere in your site directory seem to be a popular solution. The file contains the license type and domain name...then your web app verifies the license upon each request (a little bit of overhead, but you can make that code lightning fast).

Justin Niessner
A: 

It depends on how secure you really want your licensing to be. I would recommend checking a license key each time the application starts - this shouldn't be too expensive of an operation in terms of CPU/memory. If you only check on the first time it is run, then it is rather prone to being hacked, and the key could be removed and installed on another computer over and over again.

James Conigliaro
could some hash checking be enough ?
abmv
A: 

Generally, most 3rd party licensing solutions like FLEXnet or RLM suggest that you do verify application licenses each time the program runs, at a minimum. Usually it's not too expensive to do at least that.

In some circumstances -- and you have to determine if this applies to you -- it can make sense to do licensing checks more often. For example, some software licenses components of the program separately, checking the license for that component each time it is accessed. Using commercial applications, like the ones mentioned above, this isn't that expensive so it's quite commonly done.

Naaff
A: 

The other issue to consider is making it even harder for would-be hackers. Users of our EasyLicenser and Orion license manager systems sometimes perform license checks at multiple places in the code, for added security. (We recommend several practices for security, such as using exception-based flow of control).

To the point above about separately licensing features, once the table of licensed features is read in the license check it is retained by the application, so invoking a new feature does not require further disk access.

Dominic

Dominic