NYCPHP Meetup

[Dan Cech]

Hi all,

I've been asked to come up with a licensing solutions for a 
closed-source php application, and wondered if anyone had any advice.

The application will be licensed either in perpetuity or on a 
subscription basis, and each license will be tied to a particular server 
to make unauthorised distribution more difficult.

The idea I came up with was to create a server app where the user could 
log in and view/purchase/extend licenses and manage the IP address(es) 
each license is tied to.

The 'license' itself would be an encrypted token containing the client 
id, expiry date, ip address(es) etc signed with a private key.

The actual software would then be encoded to protect the source from 
(casual) prying eyes (I was thinking of using the Turck MMCache encoder 
for this) and include code to check the license validity and take 
appropriate action.

The most obvious (to me) attack on the system is to reverse-engineer the 
code and remove the license check, which could be mitigated somewhat be 
encoding the entire app and 'hiding' the check within the code.

It seems to me like a viable solution, but I'm no security expert and 
would appreciate any and all comments or pointers to existing solutions.

Dan