0

I'm creating an web application in ColdFusion 11 which was originally going to be cloud-hosted. However some potential customers would prefer for it to be hosted by themselves on their premises.

This has brought up the questions of:

  1. Managing the application on multiple sites (e.g. upgrades, updates)
  2. Licensing the application so it only works while the customer is paid-up
  3. Preventing clients from accessing the source code and either messing the application or pirating it

The first one that I want to tackle is how to create a licence file per customer that the application checks every time its used, and then allows the customer in. Bearing in the mind the entire application is hosted by the customer so I can't have a central system that checks licencing. I need something like how older Desktop applications worked where you typed in a serial number and it licenced the product.

My initial thoughts are to:

  1. Preload a database table that the client has with hashed/encrypted serial numbers
  2. Have some other table that maps the serials to expiry dates
  3. My web app checks the databases tables for serial validity against the database table and then decides to work for whatever period the serial lasts for

The only thing is... how would it check for "serial validity". That is, how would my web app know which serial this customer is using and keep that permanently until the expiry date which could be 12 months away.

Could anyone give me some pointers how to achieve this kind of client-based security for a ColdFusion web application?

volume one
  • 6,800
  • 13
  • 67
  • 146
  • 2
    If they have the code they can remove the license checks you've implemented. If they have the actual code you can't guarantee they're a valid customer. – Matt Busche Jul 21 '14 at 15:17
  • They would have the code I guess but not enough expertise to start removing license checks and then edit all the SESSION based security that would be based off that. – volume one Jul 21 '14 at 15:32
  • I wouldn't rely on them not being able to find someone that can remove the checks. – Matt Busche Jul 21 '14 at 15:33
  • 2
    @MattBusche is right, if you give them access to the code, then they can modify it to avoid any license restrictions you put in there. BTW, what on earth does a user's session have to do w/ licensing restrictions and DRM? Why would you store information related to that in a user's session?? – Sean Coyne Jul 21 '14 at 15:42
  • 1
    If they're going to host it themselves, you can send them a compiled JAR file that they deploy on their servers. This way, they do not have the source CFML, just the compiled class. Or you give them the source as encrypted CFML files. Yes, there are ways to decrypt those files, but they might now know that. If they want the ability to update the code themselves, just sell them the un-encrypted source code for an additional price. Just make sure the licensing says they cannot re-sell the code, yadda, yadda, yadda. These all avoid serial numbers. – Adrian J. Moreno Jul 21 '14 at 16:00
  • @Adrian The application is given initially as a free trial and then should only work with some kind of activating serial. I don't want a situation where they pretend to ditch it but keep using it anyway – volume one Jul 21 '14 at 16:09
  • 3
    Then your app would need a validation service that checks with your servers on a timely basis, not some local database they host. That service could set an expiration date, a reminder to renew, and let them know (via an admin area) that there are updates that need to be applied. BlogCFC does the last part and its free. If there has been no validation check within a certain amount of time, then the application has limited or no functionality. – Adrian J. Moreno Jul 21 '14 at 16:19
  • So even if its an on-site install, I would have to notify them that their servers must have a working internet connection outside of their firewall. I don't know if they'll like this because the application will hold their customer data, hence why some of them don't want cloud. – volume one Jul 21 '14 at 18:29
  • 5
    This is the 21st century. Tell them if the cloud is an acceptable solution for NASDAQ, it's an acceptable solution for them. http://www.nasdaq.com/article/amazon-powers-nasdaqs-new-cloud-computing-platform-cm176472 – Adrian J. Moreno Jul 21 '14 at 18:59
  • But, but... the customer is always right...? – volume one Jul 21 '14 at 20:19
  • 1
    The customer is rarely right, and as a consultant, it is part of my job to get them to see that. Now, I won't necessarily tell them they are wrong, rather, I provide them with data that will allow them to see for themselves that they are wrong. – Scott Stroz Jul 22 '14 at 02:59

1 Answers1

7

Moved from comments in an attempt to provide a cohesive answer.

If they're going to host it themselves, you can send them a compiled JAR file that they deploy on their servers. This way, they do not have the source CFML, just the compiled class. Or you give them the source as encrypted CFML files. Yes, there are ways to decrypt those files, but they might now know that. If they want the ability to update the code themselves, just sell them the un-encrypted source code for an additional price. Just make sure the licensing says they cannot re-sell the code, yadda, yadda, yadda. These all avoid serial numbers.

@Adrian The application is given initially as a free trial and then should only work with some kind of activating serial. I don't want a situation where they pretend to ditch it but keep using it anyway - volume one

Then your app would need a validation service that checks with your servers on a timely basis, not some local database they host. That service could set an expiration date, a reminder to renew, and let them know (via an admin area) that there are updates that need to be applied. BlogCFC does the last part and its free. If there has been no validation check within a certain amount of time, then the application has limited or no functionality.

So even if its an on-site install, I would have to notify them that their servers must have a working internet connection outside of their firewall. I don't know if they'll like this because the application will hold their customer data, hence why some of them don't want cloud. - volume one

This is the 21st century. Tell them if the cloud is an acceptable solution for NASDAQ, it's an acceptable solution for them.

But, but... the customer is always right...? - volume one

No, the customer is sometimes living in the past and is scared of the Now. Gartner recommends that companies purchase Software as a Service solutions, rather than building said solutions themselves. You should show them how much they'll spend to provide servers, personnel, time and so on in order to support your software on their own servers, vs. the cost of you managing it as intended. Who on their team is going to patch the application when required? Do they have programmers on staff that can figure out why something went wrong in the middle of the night? Are they going to pay you extra to be on call to support the copy on their hardware?

Show them the numbers, show them the research and you just MAY get them to understand and make the sale. Otherwise, the sale just might not be worth it.

Adrian J. Moreno
  • 14,350
  • 1
  • 37
  • 44
  • 3
    I would have upped this just for the last 2 paragraphs alone. – Scott Stroz Jul 22 '14 at 02:57
  • @Adrian How about the idea of having an encrypted "license file" with the source files that tells the application how long to work for and what features to enable? How viable does this sound? I have no idea how I'd go about implementing it however. – volume one Jul 24 '14 at 09:14
  • If you hand them the source code, they can program out your license file. – Adrian J. Moreno Jul 24 '14 at 15:02