One for the gurus ! How would you design and solve this ?

[Softwaremaker]

Hi all fellow developers,

Say, I am developing a Web application for a company (ComA) using ASP.

This solution after its done will be handed over to ComA. I will still retain
the rights to the program tho. I want this full ASP solution, once its being
used, to send and notify my website where my website will take note of the
URL (ComA's URL) and log an entry into my database (on my site) then sends
itself back to the ComA's URL where they will continue with the processing
of their application. The best would be to send back a certain value or parameter
and the application on ComA will act accordingly.

This is to prevent unauthorised copying and infringment of the source and
my rights. How would you guys plan and design this ?
Do you think ASP scripts can do the job ? After all, anyone in ComA can take
a look at those scripts and work around that after a while. Maybe webclasses
or COM objects. Any ideas ?

Thanks for your advice and help.


__________________
William
www.SoftwareMaker.net
William@SoftwareMaker.net

[Russell Jones]

Interesting problem.

Consider creating a free-threaded component that performed some critical
part of the processing for the application, and load the component in
global.asa. During application startup, you could have the component post
the notification data you want to your Web site. You should also make sure
that the component will work even if it can't reach your Web site, and that
you have a way to change the URL that the component called. Alos, consider
having it log the data somewhere--in the application log, the database, or a
file. Your site should send back an acknowledgement that would set a flag
inside the component. Each time the application called the component, you
can check to make sure the acknowledgement had been received, and if not,
retry the notification operation. You should make a decision about what to
do after some number of unsuccessful tries; for example, you could disable
the application altogether, or you could begin to generate notices of some
kind. You're right that you can't create a robust solution with ASP pages
alone. Depending on your needs, you could force the operation to occur every
time the application starts, or only the first time the application runs,
after which you can check the environment against a stored bit of data to
ensure that the application is still running on the same server.

I suspect you'll run into instances where the server on which the
application is installed can't reach your server. After a certain number of
unsuccessful tries, you could consider having the component create a client
script that forced the client browser to post the data to your site--perhaps
by creating a hidden iframe in the HTML--thus moving the responsibility for
connecting to your site from the installed server to the client. You could
potentially also use this second type of connection to track the number of
users of your application from the installed site.

A good network administrator and a good programmer could defeat these
methods without too much trouble, but the average person either wouldn't be
able to, or wouldn't bother.

Obviously, your site's availability is critical to the success of any such
mechanism. I suspect you're potentially liable for damages from legitimate
users if you disable or damage the application in the event it can't reach
your site, so you should think long and hard before you implement any such
feature. You may also be liable for damages if you don't publicize the fact
that the application contacts your site and sends information--and you'll
need to state exactly what information it sends, otherwise you're
effectively "stealing" private information from the company that installed
your application. If I were buying your application, that would probably be
a show-stopper.


"Softwaremaker" <William@softwaremaker.net> wrote in message
news:3c045d7c$1@147.208.176.211...
>
> Hi all fellow developers,
>
> Say, I am developing a Web application for a company (ComA) using ASP.
>
> This solution after its done will be handed over to ComA. I will still
retain
> the rights to the program tho. I want this full ASP solution, once its
being
> used, to send and notify my website where my website will take note of the
> URL (ComA's URL) and log an entry into my database (on my site) then sends
> itself back to the ComA's URL where they will continue with the processing
> of their application. The best would be to send back a certain value or
parameter
> and the application on ComA will act accordingly.
>
> This is to prevent unauthorised copying and infringment of the source and
> my rights. How would you guys plan and design this ?
> Do you think ASP scripts can do the job ? After all, anyone in ComA can
take
> a look at those scripts and work around that after a while. Maybe
webclasses
> or COM objects. Any ideas ?
>
> Thanks for your advice and help.
>
>
> __________________
> William
> www.SoftwareMaker.net
> William@SoftwareMaker.net
>
>

[Digit]

I like the way you think. I ran into the same problem and had to get an attorney
involved to solve it.

I went the route of com objects. You can place most of your code inside com
objects with minimum changes. The bonus is you can re-use the code and it
executes quicker. You both win.

Digit

[Derek]

William,

It is possible to ASPEncrypt your ASP pages (MS have a tool to do this).
It slows down your site marginally but nobody but nobody can look into your
ASP code.

To avoid illegal use is a typical licensing scenario. In the past I have
created a component that gets instatiated in the Global.asa and needs a special
string in the application variable to work. The component changes the string
it requires regularily. I used a secure page to post the new string to an
admin page which updates the string in the application variable. If this
string doesn't get updated then the site stops running (I do the check in
a component that is used to get the applications database connection string
(or strings if multiple DBVs are supported). If the license string check
fails, no connections, no working application.

There are numerous other licensing models you could use (strong name key,
certificate signing, etc).


Look into the ASP encryptor as this will protect your source code rights
in any event.


Good luck.










"Softwaremaker" <William@softwaremaker.net> wrote:
>
>Hi all fellow developers,
>
>Say, I am developing a Web application for a company (ComA) using ASP.
>
>This solution after its done will be handed over to ComA. I will still retain
>the rights to the program tho. I want this full ASP solution, once its being
>used, to send and notify my website where my website will take note of the
>URL (ComA's URL) and log an entry into my database (on my site) then sends
>itself back to the ComA's URL where they will continue with the processing
>of their application. The best would be to send back a certain value or
parameter
>and the application on ComA will act accordingly.
>
>This is to prevent unauthorised copying and infringment of the source and
>my rights. How would you guys plan and design this ?
>Do you think ASP scripts can do the job ? After all, anyone in ComA can
take
>a look at those scripts and work around that after a while. Maybe webclasses
>or COM objects. Any ideas ?
>
>Thanks for your advice and help.
>
>
>__________________
>William
>www.SoftwareMaker.net
>William@SoftwareMaker.net
>
>

[Marcus Tucker]

Russell Jones makes some excellent points - I wholeheartedly agree with his
suggestions.

Just to clarify though, NO-ONE should rely on the MS Script Encoder to protect
their code. It can be decrypted back to the original script VERY EASILY.
Thus, any checking system is best left to a COM component as Russell says.

What about using the server's specific NIC MAC address(es) - This is essentially
a unique ID, and would be ideal for use as information to look up in your
database to verify the license. The MAC address of the NIC bound to the internet
connection can be obtained through scripting. I suggest recompiling your
COM object with the hardcoded MAC address changed for each specific license
(naturally, you would need to obfuscate and/or checksum the MAC address string
so that it could not simply be hexedited) - or use an RC4 encrypted license
file which you generate and deploy with each installation, which is sent
to your live web server for authentication. It is clearly important to make
sure that you allow for the possibility of multiple NICs in the machine,
but no problem to accomodate.

If any of the above isn't particularly clear, it's probably beacuse I've
got a terrible hangover and I'm about to fall asleep, but please contact
me via email if you need more info! (I don't visit this group on a regular
basis)

Good luck!

Regards,

Marcus Tucker
www.marcustucker.com