I'm trying to make a good licensing system without affecting user's experience and at the same to make it as secure as possible. I know it's impossible to make it 100% secure, but I would like to make it harder.
My program is made to be used only when the user has internet connection (not because I hate my users, but because my program is for another online app), that's why I don't care if the user doesn't have internet connection.
What I thought so far:
Registration:
- User downloads the software from a public permanent link (mega or something).
- User buys the software and receives a unique key on his mail (this key is then wrote on my DB)
- User opens the software and registers a new account with Username, Password and the key he received via e-mail. At the same time information about it's pc is sent (will cover that later) (This information is sent with HTTPS POST)
- API checks if the key is not already used and writes Username, Password and PC information on that key's row.
Login:
- User opens software and writes Username and Password.
- Username, Password, PC information and Current time is sent to the server (HTTPS POST).
- Server checks Username, Password and PC information and sends an answer based on the current time (Using Echo on php) (to make answer unique, idk if this is useful, read last question on "What I didn't think about yet").
- Every 1 or 2 minutes the software does 3. again to check if the information didn't change.
There is a "Reset" button in case the users changed something in their Computers that made the key obsolete. This will ask the user to login, then will replace Computer's information with the new one.
Computer information:
I'm still thinking about this, maybe Hardware information that cannot be faked, or something. I need all this information to be as hard to fake as possible and not changed so frequently that my users would have to reset their account every day/week.
What I didn't think about yet:
- What happens if the user tries to fake the Computer information, how should the server check that the information is wrong. Like if the key becomes "00000000" because all the data is NULL, empty or 0.
- What happens if there are 2 Computers with the same information (for example, notebooks). Users would be able to use same serial / account for both computers. How often will this happen? Answered after investigating. This has a low chance, and if this happens, they would still have to know each other so they share their serial keys.
- What happens if someone gets the source code of my program? Will it have any consequence on the rest of the users? Answered by @vidarlo
- Is it possible to fake the answer from the server? What should I do to prevent that? Answered by @vidarlo
- After thinking about this system I noticed that I don't have any kind of serial key generated from user information. (I mean, I send Computer information to the server to compare instead of making a serial key with it and giving the user this serial key). Does this make my system bad?
To be honest, I read a lot and came with this Schema that I "tested" in my mind to see if I find any easy way to bypass (I mean things like "if you block internet connection then the program will work without license"). Now after "testing" it in my mind, I need more experienced users to give me some advice. This will be my main source of money while I'm studying and I'm trying to protect it as much as possible. A good link I found was how XP license system works: https://www.licenturion.com/xp/fully-licensed-wpa.txt But is not very useful because I don't use any kind of serial key containing user information.
I don't know if this is the page for this, I decided to post this here because I'm not asking about code or "how do i do the following", I'm asking if this is easy to bypass.
Everything is appreciated, I'm still on the first step (thinking about everything and checking if it fails before I start to code it).
I continued researching and couldn't find any problems with this Schema (I'm omitting the problem that someone edits my exe because there is nothing I can do about it) But still I need more opinions because I don't have a lot of experience, and this would be my first licensing system.