tags:

views:

16

answers:

1
Q: 

Registration System, Do I need both in app and internet validation?

I am working on a registration system for a desktop app. Before I only had in app validation where the user name and email address were tied to the key and only verified when typed into the program.

I am working to setup a new system where the registration information is stored in an online database and when the user registers the database checks to see if they have a license available to register.

My question is ... do I still need to check the registration information in the app or can I solely depend on the internet verification?

I understand that the user will need an internet connection to register, that isn't a problem.

The pros of an internet only registration are that I don't have to come up with a complicated scheme to tie together the name, email, and key inside of the application. Rather I can simply generate a random token and use that as the registration key that will be validated over the internet.

A: 

Think about it: The security of your application still depends very much on what you implement in your desktop application. If you generate a random key and store it in a database on your server, the application still needs to have a way to check it and enable/disable features, based on the registration status (I'm assuming you are aiming for some lincensing scheme here).

If this check is done in a very simple way, it might be easy to thwart, thus enabling a user to provide the application with fake registration data, for example by using a proxy.

Jim Brissom  2010-09-13 20:21:48
I don't think there is a full proof way to stop anyone who is intent on breaking a registration scheme. My main goal would be to stop casual pirating.
SteveK  2010-09-13 20:39:58
Yes, there is no foolproof solution. But even professional copy protection schemes are in no way foolproof, so your aim should be to do the best you can. If your protection scheme is so easy to fool that it can be done with minimal effort in a few minutes, it will provide no protection at all.
Jim Brissom  2010-09-13 20:44:19
What do you suggest? The normal user isn't going to be able to setup a proxy server.
SteveK  2010-09-13 20:50:52
Also couldn't I just use an SSL connection to make sure someone is not spoofing the verification server?
SteveK  2010-09-13 21:20:50

related questions

CoRegisterClassObject never works...
OAuth? ,OpenID? Neither? Which one should my site support?
How to debug regsvr32 post-compile DLL registration exception?
How could I record new domain names as they are registered?
Managing Unregistered User Posts by Screening
Castle.Windsor Register AllTypes With An Interceptor
What are the pros and cons of using an email address as a user id?
What is the benefit to validating email address at registration?
VS 2005 Web Site Project Template Annoyance.
How do I specify binary data in a COM RGS file
Conditional registration of certain dll(s) during installation process. (vague)
shareware enforcement vs time machine
How to unregister my .net assembly when it's no longer in the same location?
Systeminfo: Product ID
creating a registration form.
Inhouse registration vs. OpenID vs. Google Friend Connect vs. Facebook Connect vs. (etc)
Using OpenID how do you handle 2 accounts with the same nick
What installation key software is well suited for Visual Basic or C# apps?
How to register COM libraries at runtime?
How to register a .NET CCW with regasm from a Visual Studio 2008 Setup project
Checking registrations against a CSV file
Two PHPBB questions
How do I register domain names programmatically?
License / registration frameworks for C / C++
Good Authentication and Authorisation Package in Java?