SAAS per seat authentication

Question

Hi

Our company makes the web based application which is priced per workstation.

That means that user/pass credentials should only be used from one particular machine.

Currently what is happening that several users are sharing credentials and we do not have any way to prevent this if they are not doing it concurrently.

The nature on the application is such that user needs to use it once in a while so the inability to work concurrently does not bother the users much and the company loses it's possible revenues.

The application currently is purely AJAX without flash/activeX/Java applets.

The ideal solution would be to read the computer name or IP address of the client with javascript using "Shell.Network" scripting interface.

But this is impossible because of the strict security settings in Internet Explorer. I have to mention that cross browser functionality does not matter and the only browser supported is IE.

Searching google I came across this solution here http://www.reglos.de/myaddress/MyAddress.html but it requires JAVA applet so will not be very convenient.

Are there any other solutions for this?

Answer 1

Set a cookie on the machine with an id. Retrieve the cookie each time the user logs in. If you see several different cookies alternating for a single user you know you've got something odd going on.

(Of course a single switch may just mean they've moved to a new PC as one off. )

Alternatively, price per usage, 'query' or some other item.

Answer 2

There's no easy answer as your clients (the software) are effectively anonymous and the users are self-identifying.

For IE "locking you out" (I'm hardly an IE expert), but can't the IE settings be set for particular domains? You could simply make it a requirement that the users configure their browsers to give your app superior access.

I don't see any reason why you can't have certain requirements for the users browser (i.e. only IE 6/7/8, these security settings, etc.).

Answer 3

Your licensing model is not consistent with the delivery model. Change one of them.

Answer 4

This kind of abuse can probably be detected moderately effectively using the Cookie technique that RichH suggested. At least blatant abuse can be detected quite easily (say 10 licenced users, 100 real users).

But of course, don't lock the user out, just monitor the situation and get your Sales people to call up suggesting that they buy more licences.

We do exactly the same (in terms of licensing and delivery), and I'm sure that you have good business reasons for not changing your model.

Answer 5

Track through sessions per user. Do not allow multiple sessions to a single user. To achieve this you will have to save the session ID into the database and check everytime a user logs in.

To help users who at times have a browser crash and relogin with new session, allow them to sign out their previous session... so you can kill the old session and instead register the new one.

Hope this is useful.