generate license key for commercial module

[jploch]

Hi folks,
Iam working on a rather complex pagebuilder module, which took a lot of time to build.
Now the module is almost ready and my plan is to release it as a commercial module at some point.
This will help me to support the module in the future as well as cover some of the time/costs it took to make it.

There will be 3 licenses:
- Single website
– 3 websites
– 10 websites

To protect the module from being used without a license, Iam looking for a simple way to generate a license key, that is tied to a domain.
It don't has to be the most secure methode. If possible it will work without making a connection to an external server to check the key?
I have no experience with this but I picture it may work like this:

1. When the user buys the module, he/she needs to enter a domain, or multiple domains (based on the license).
2. The user can download the module and gets a license key (generated based on the domains entered?)
3. After installing the module in the backend, the user needs to enter the license key
4. The module checks if the url matches the key and grant/denies acess.

Another idea might be to use the userAuthSalt stored in the config file of PW to generate the key.
But then the key needs to be generated after the module is installed.

How would you generate the license key?
 

[rick]

That is a question I've been working on since the mid 90s. There is no simple solution when dealing with publicly viewable code.

Generating a unique key is straightforward (eg, GUID, etc.). Validating the key requires a 'phone home' procedure, whether you do it on install or every time the code is executed is a choice to make.

The problem lies with controlling the source code execution based on that validation. It is not possible to accomplish that with publicly viewable code.

[jploch]

@rick thanks! Seems like there is no easy solution. I would rather like to focus on the module itself, than on the protection of it.

Maybe I will use a ready made solution like Easy Digital Downloads, but that seems to be made for wordpress.
Is there anything similar that someone has used to sell digital products with licensing?

[rick]

Basically, the simplest solution, for example, is to use something similar to paypal's 'buy now' buttons; one for each license type. It really doesn't matter about a specific license ID unless you want to identify a particular user when they request support, etc., and then you can pass a unique ID which is returned with the transaction confirmation. In this example, you don't need to mess with any type of license key entry in your module; The customer just downloads the module from an email link. You insert the 'transaction id' in the email for their records that you can compare with your database entry at some future date.

I know my replies seem somewhat 'negative' toward a viable solution and I apologize for that. On a positive note, one method I used many years ago was to keep certain 'key' functions on the server. The program would pass the license key and specific data to be processed on the server. If the license was valid, then the result was returned to the program for further processing. Again, this requires a 'phone home' procedure, which most people, including myself, don't really like.

 

[netcarver]

Highly recommend Gumroad for selling this. It takes care of all sales tax nightmares and can automatically generate a license key per sale.

Personally I wouldn't try adding license key checking into scriptable code (like PHP) as people who are going to cheat you are just going to edit the code to remove the check anyway, or just have it return true etc.  Where the key can come in useful is for access to value-added features like support, so you ask "What's your license key" as part of the user's access to your support mechanism (forums/email etc)

[jploch]

21 minutes ago, rick said:

Basically, the simplest solution, for example, is to use something similar to paypal's 'buy now' buttons; one for each license type. It really doesn't matter about a specific license ID unless you want to identify a particular user when they request support, etc., and then you can pass a unique ID which is returned with the transaction confirmation. In this example, you don't need to mess with any type of license key entry in your module; The customer just downloads the module from an email link. You insert the 'transaction id' in the email for their records that you can compare with your database entry at some future date.

That seems simple enough, but that would not prevent the use of my module on multiple unregistered domains. Also not sure what you mean with "compare with your database entry at some future date"?  

[rick]

23 minutes ago, jploch said:

but that would not prevent the use of my module on multiple unregistered domains

Exactly. That is the crux of the problem here. It's not any different than the other module developers here selling pro versions. Unscrupulous people will always find a way to circumvent licensing. The best you can do is trust the customer to honor your license models.

23 minutes ago, jploch said:

compare with your database entry

You save the license id, transaction id, or whatever id for future reference. It could be in a database or a spreadsheet so that any inquiries from a customer can be checked against that database for validity.

[jploch]

19 hours ago, netcarver said:

Highly recommend Gumroad for selling this. It takes care of all sales tax nightmares and can automatically generate a license key per sale.

Gumroad looks very promising! Will take a closer look, that might just be what I need. From what I can see it's even possible to inform the customer of new versions of the module and adding subscriptions for support etc. Sweet! 

[jamescarrey870a]

Generating a unique key, such as a GUID, is a simple process. However, validating the key requires implementing a "phone home" procedure, which can be done during installation or each time the code is executed. The challenge arises when trying to control the execution of source code based on this validation. It is not feasible to achieve this level of control when the source code is publicly accessible.