• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Access to CodeIgniter application from desktop application

#1
I wrote a php application based on CodeIgniter (2.1.0). This application allow to manager software license: the user can buy a software (desktop) license and admin can control it. Now I'd like add license checking from my software (desktop). To do it my desktop software must be connect with my CodeIgniter application:

1. My software (desktop) ask to my CodeIgniter application if user license data are valid and some details about it;
2. My CodeIgniter application check on DB and send a response to my software (desktop);

To do this I need POST or GET data to a CodeIgniter application URL.
Is there a way to avoid authentication?
When call my URL CodeIgniter application call me user authentication, this is ok but in this case I'd like avoid it.

What is the best solution?
Is there some fast way?
Is there some example or some plugin for this?
Reply

#2
Hey, could you be more specific? Do you want to avoid the user authentication process? If someone gets the request through Fiddler and replicates the authentication from the host files? Are you aware of this?
Reply

#3
i am currently looking at ways to do this myself, however as a part of my process user authentication will be mandatory. As is binding the software and it's serial number to the customers hardware.

However FlevasGR is correct, it would not be hard at all to fake the request and basically 'pirate' your software. So user authentication will be an important step to help protect your software.

I am not a rich guy so i cannot go out and purchase a solution that is way more robust so i am stuck making my own solution. Which is proving to be a challenge. l am currently looking over a few of the open source tools for ideas, but they are not proving to be of much help.
Reply

#4
The problem is this. If I use the CodeIgniter authentication system I should before make the authentication and then do the license checking.
I don't have idea about it.

So I thought add a "password field" on my license checking to validate the request.

Anyway, I'm open to any system, also the official CodeIgniter authentication system is ok if somebody explain me how implement it.

The software application is write with delphi.

(10-29-2014, 06:17 AM)Hobbes Wrote: I am not a rich guy so i cannot go out and purchase a solution that is way more robust so i am stuck making my own solution. Which is proving to be a challenge. l am currently looking over a few of the open source tools for ideas, but they are not proving to be of much help.

For the same reason I have write my "CodeIgniter application", it allow:
FOR USER
- buy license (by paypal);
- manage orders;
- get support buy ticket;
- download software and update;
- ...
FOR ADMIN
- create products (including free update and support);
- manage orders (including invoices);
- manage tickets request;
- ...

I have almost finist it but need to test it and create a valid integration with my software based on VCL (delphi/C++ Builder) and DLL (other language).
Reply

#5
for me i personally use Ion Auth, but there are several authentication libraries for codeigniter that are great.

sending the 'login data' from your desktop app to your ci web app for all intense purposes is no different than using a login form on your website.

the data is sent to CI via POST method , CI controller receives said data and authenticates it then sends back a response. You can send this response back as json, plain text, xml, or even a custom format if you like. Sending the data to and from your web and desktop app should always be heavily encrypted, then decrypted on either end.
Reply

#6
Just to see how simple it is to steal every request made to your server : https://www.dropbox.com/s/qmmaq3j90zaodk...1.png?dl=0
This is a windows application im developing for managing and monitoring serial (COM) posts. Its pretty powerful with remote control, loging options and recipes. (C#)
As you can see in order to fetch the online help and check the user's version i need to make few requests back to my server. With Fiddler2 you can debug them and see whats going on. You cant avoid it. (In my case i dont care since the project is free and open source)
Reply

#7
and there is the thing, no matter what system you use for software licensing it will never be fool proof. But there are ways to make the hackers life difficult. But in no way will any licensing method be perfect.

so finding or making a solution that will work for you is the key.
Reply

#8
(10-29-2014, 06:52 AM)Hobbes Wrote: for me i personally use Ion Auth, but there are several authentication libraries for codeigniter that are great.

sending the 'login data' from your desktop app to your ci web app for all intense purposes is no different than using a login form on your website.

the data is sent to CI via POST method , CI controller receives said data and authenticates it then sends back a response. You can send this response back as json, plain text, xml, or even a custom format if you like. Sending the data to and from your web and desktop app should always be heavily encrypted, then decrypted on either end.

Two questions:
1. ok, I send login data to CI via POST, CI response with a cookie in case of browser. Is the same if send data with my desktop application? If yes I Think I'll add this "cookies" on license checking, in alternative CI will block my request. How must use "cookies" data?

2. how encrypt my data from/to desktop/server?

Thanks
Reply

#9
Many people are using their own servers. If you're hosting your application on your machine everyone can use it, buy it but none can break it. Its on your side! The cost might go high but it worth it.
Reply

#10
you don't really need to send back a cookie. The controller that receives the data like i said could send back a response in what ever format you want (json, xml, ect ..).

an example

John Doe comes to my site, registers, buys my software, and receives a software key. After install they go to the register dialog.

the sample data sent to server could be these items:

Fullname: John Doe
email address: [email protected]
password: abcde12345
installkey: 178BF-BFF00-100F4-290FB-A62DC-1A7EA-B73F6-F
serial number: XX99X-9XX99-99X9X-XX9X9-999XX-X9X9X

you would then use one of many different encryption methods like: tripledes, rsa, ect ...

the controller receives the encrypted data via https post method. decrypts the data, validates the users account, checks the serial number, varifies that this is the first time user is installing, registers the installkey, sets a flag to tell the server that the software has been installed for the first time. Then sends back a validation response.

On the software side, your app receives the response, decrypted the encrypted response and validates it's authenticity, then stores pertinent data in an encrypted storage method.

now Joe Blow downloads the demo, and somehow got a hold of John Does serial number. Tries to reg it, but fails because the server knows that John Doe has already installed it, Plus the install Key is different.

Now Sam Spam is a hacker. Gets the Demo and is trying to fake the server response. However, since the real server is running on https with certs Sam Spam is missing vital parts of the response and has a hellva time trying to pirate the software.

---
not fool proof. but for an average user it would be too difficult to pirate it.

Now for decryption the server and the software would share a private decryption key. This key is not sent during registration. How this private key is stored on both client and server sides is pretty critical. You have to store it in a way that makes it a nightmare for hackers to find and decode.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.