Tips and tricks for generating / using license keys for commercial add-ons?
Development and Programming
I’ve been doing some searching on the EE and CI forums, but there doesn’t seem to be a topic covering this already.
I’m in the process of developing an add-on that I plan on selling, and I’m trying to determine the best course of action for licensing / protecting it.
Of course the most obvious (and seemingly secure) approach is to encrypt my code with Zend Guard, ionCube, or equivalent. I think this is an awful, awful idea on a lot of levels. It seems miserly and selfish, in addition to creating artificial environment restrictions for any clients that would want to use the add-on. Personally, I always want to look under the hood of anything I’m paying for (EE included), especially if there is a piece of functionality I want to understand better (or an error being thrown that I suspect is a bug in third-party code).
So let’s assume that some kind of encryption of the code itself is off the table.
It seems that most add-on developers generate a license key during the purchasing process, and then clients enter this key when they first set up the add-on.
Of course, I am poking around under the hood of a few different paid add-ons to glean some clues on how others do the validation, etc, but I wanted to throw a few questions out for discussion:
Are there any secrets / tips to the generation of the key itself? Are people generally using just random hashes / codes, or are they hashing some part of the code itself? A version number or some kind of unique identifier for that client?
Some people link license keys to domain names, but personally my gut reaction is to avoid this if possible (although it’s certainly more palatable than encrypting the code itself). How do people feel about this practice?
Since all your PHP code is open for modification, what stops people from simply deleting any sort of validation / license key checking code that you write? Or delete any domain checking code that you write? Basically, anything you do to secure your application?
I’m not one of those developers that thinks my code should be under lock and key, hidden from sight. I want to share it with the world, and help people both by having them use it and having them learn from it (or point and laugh).
My goal is merely to protect my time investment in this add-on, and do due diligence to learn what my predecessors have done to handle these issues.
Incidentally, I’d love some resource links to any useful websites / articles discussing license key generation or securing PHP applications. I’ve been googling for that kind of thing, but as you can imagine the vast majority of the results are for keygen warez or get-rich-quick-by-selling-your-software stupidity. Having some trouble separating the wheat from the chaff.
Thanks! ~Chuck
Chuck,
Let me add my thoughts to your discussion.
An license (key) mechanism has proven to increase return sales by 20%. So there is some sense in adding it to your product.
But since the source code will always be unencrypted, people who want to bypass the license checks will just need to change the code that does that.
EllisLab does have a license key, but they don’t do license checks. Since you can run EE without a license.
The way they add some degree of control is in support. If you didn’t buy the software you can’t post in the support forums.
I am also curious to see what other people thoughts/ideas are! Merry Christmas!