Concurrent license monitoring for a web page with JavaScript?

Question

What is the good method to implement a cross platform CONCURRENT USERS monitoring for a .HTML page that contains a simple javascript application. The tricky part is that the web servers hosting this html page differ a lot, each customer has their own LMS/Web server, so web page could be running inside IIS or apache etc. ( I have no control on web server at all)

(Access to internet may be limited from the web server, too)

This html page is a SCORM module that needs to make sure there are no more than 10 users at time.

Answer 1

Can't be done, sorry. Unless you control access on the server side all attempts to restrict client behaviour are doomed. If you write some JS, I can rewrite it. Maybe I can even just turn off JS. Either way the protection is restricted to the behaviour on my computer and with JS I control that, not you.

I don't know what "scorm" is, maybe you have some options there. Otherwise you'll need to implement a server-side solution for the platforms you want to support.

btw, JS obsfucation and other tricks might keep casual users from breaking your system but overall you're really just engaging in an arms race you can't win. If your product is valuable enough then I'm sure some browser plugin will come along to override your protection.

I suppose you could just be dishonest and pretend the application is secure. If it works for Microsoft and Symantec, maybe you'll get away with it as well?

Answer 2

What kind of API does the LMS give you?

If you can read and write the value of a variable, you could increment a counter each time a user logs in, and decrement it when a user logs out. If the counter >= 10, you tell the user he cannot use the application.

This is of course very rudimentary; you'll probably want to automatically log users out if they are inactive for a long time.

Also, as SpliFF said, since it's a client-side solution, it will be relatively easy to circumvent. But it might be good enough for your needs.

Answer 3

Implementing user access checking is difficult in SCORM. Like SpliFF said, anything implemented in JavaScript is inherently insecure. I'd say though that you can probably implement a good enough solution. Nobody is going to die if 11 users actually gain access instead of just 10, so a less than perfect solution is probably acceptable.

Can you require that all of the end users' browsers have internet access? If so, you have two options. First, you could implement a AJAX-based solution that makes a request to your server every time the content is loaded. There would have to be some JavaScript that validates the response and decides whether or not to allow the content to be launched. Take a look at a company called Chartbeat. They have a product that will tell you how many concurrent users are on your website. You might be able to reverse engineer that to come up with a similar solution.

Secondly, you can host the SCORM content on your server. You will quickly run into the cross domain scripting problem that makes communicating with the LMS difficult, but this can be overcome. We've helped many clients who are looking for strict licensing controls to host their content and still let it be SCORM conformant using HTTP redirects to enabled the SCORM API calls.

You might also want to consider using AICC instead of SCORM if your clients will allow it. AICC allows for better cross domain communication and makes it easier to host the content yourself.