Currently I sell a program, that accesses my webpage. The program is HWID (Hard Ware ID) locked, and the only reason I use the program to access the webpage instead of direct access via a webbrowser, is so that I can use HWID authentication.
However, I've just been told I can code a script to get computer information, such as hardware ID etc.
Is this actually possible completely server-side? If so, can I do it with PHP? If not, what language would this be, and what functions would I have to look into for this?
Whoever told you that is confused with something else.
Browsers do not expose that kind of hardware information to a web server at any point, so there is no existing mechanism for a server-side PHP script to get a visitor's HWID. JavaScript provides very limited information about display resolution and color depth, but certainly not something like HWID. A very long time ago, it used to be possible to use ActiveX objects in JavaScript in IE to retrieve hardware information via WMI, but you can bet that's not possible anymore, especially on a non-intranet zone site. You'd most certainly need some kind of browser plugin or extension; Flash does not provide the HWID, so you're looking at something custom-written by you that must be installed on a visitor's machine either prior to or during their visit.
You're better off continuing to sell the app that gets the HWID itself and then accesses your web site, because that's going to be far less painful than writing browser extensions and plug-ins for all major browsers to provide that information in a secure way.
Related
I've a rather odd requirement: I want users to be able to verify the live source code of a web app before they input data or extract data from it.
Or, on a more higher level, the users need to be reasonably assured of what is being done (and not done) in the back end. Of course, if you inspect the stream from a process external to the web server, this becomes a useless exercise. But I only need a reasonable level of assurance.
What are the options? I'm willing to use pretty much any server side language/platform, provided it serves the purpose better than the alternatives. It cannot be a method that can be used to easily spoof the source code -- there has to be some assurance that the code is live and not a separate copy (something equivalent to making /var/www/app and apache conf world-readable, but not exactly).
Update: this should be read-only
Giving them access to your Git sources is simple and straightforward. If you cannot convince them that you deploy what you show, you lose anyway. There is no way to prove that with a more convoluted system either (short of giving them write access!)
No server-side solution will do. If the users don't trust the server to begin with then showing them some code will not convince them that the code is actually what processes their input, or that no one is listening in on the traffic or on the server-side process.
If the server is not a trusted platform as far as the users are concerned, then you will have to execute the code somewhere the users do trust. On a trusted 3rd-party, or even better on the user's machine itself. Be that as a downloable module they can inspect and run themselves (something interpreted, most likely, like Python or node) or even better: in their browser.
I'm on board with the whole cookieless domains / CDN thing, and I understand how just sending cookies for requests to www.yourdomain.com, while setting up a separate domain like cdn.yourdomain.com to keep unnecessary cookies from being sent can help performance.
What I'm curious about is if using PHP's native sessions have a negative effect on performance, and if so, how? I know the session key is kept track of in a cookie, which is small, and so that seems fine.
I'm prompted to ask this question because in the past I've written my web apps and stored a lof of the user's active data, preferences, and authentication information in the $_SESSION variable. However, I notice that some popular web applications out there, like Wordpress, don't use $_SESSION at all. But sessions are easy to use and seem fairly secure, especially if you combine it with tracking user-agent / ip changes to prevent session hijacking. So why don't Wordpress and other web apps use php's sessions? Should I also stop using sessions?
Also, let me also clarify that I do realize the server must load the session data to process a page request, but that's not what I'm asking about here. My question is about if / how it impacts the network performance, especially in regard to the headers being sent / received. For example does using sessions prevent pages or images on the site from being served from the browser's cache? Is the PHPSESID cookie the only additional header that is being sent? These sorts of things.
The standard store for $_SESSION is the file-system with one file per session. This comes with a price:
When two requests access the same session, one request will win over the other and the other request needs to wait until the first request has finished. A race condition controlled by file-locking.
Using cookies to store the session data (Wordpress, Codeigniter), the race-condition is the same but the locking is not that immanent, but a browser might do locking within the cookie management.
Using cookies has the downside that you can not store that much data and that the data get's passed with each request and response. This is likely to trigger security issues as well. Steal the cookie and you've got the data. If it's encrypted, an attacker can try to decrypt it to gain the data stored therein.
The historical reason for Wordpress was that the platform never used the PHP Sessions. The root project started around 2000, it got a lot of traction in 2002 and 2004. As session handling was only available with PHP 4 and PHP 3 was much more popular that time.
Later on, when $_SESSION was available, the main design of the application was already done, and it worked. Next to that, in 2004/2005 wordpress decided to start a commercial multi-blog hosting service. This created a need in scaling the application(s) across servers and cookies+database looked more easy for the session/user handling than using the $_SESSION implementation. Infact, this is pretty easy and just works, so there never was need to change it.
For Codeigniter I can not say that much. I know that it stores all session information inside a cookie by default. So session is just another name for cookie. Optionally it can be encrypted but this needs configuration. IIRC it was said that this has been done because "most users do not need sessions". For those who need, there is a database backend (requires additional configuration) so users can change from cookie to database store transparently within their application. There is a new implementation available as well that allows you to change to any store you like, e.g. to native PHP sessions as well. This is done with so called drivers.
However this does not mean that you can't achieve the same based on $_SESSION nowadays. You can replace the store with whatever you like (even cookies :) ) and the PHP implementation of it should be encapsulated anyway in a good program design.
That done you can implement a store you can better control locking on (e.g. a database) and that works across servers in a load balanced infrastructure that does not support sticky sessions.
Wordpress is a good example for an own implementation of sessions handling totally agnostic to whatever PHP offers. That means the wheel has been re-invented. With a view from today, I would not call their design explicitly innovative, so it full-fills a very specific need in a very specific environment that you can only understand if you know about the projects roots.
Codeigniter is maybe a little step ahead (in an interface sense) as it offers some sort of (unstable) interface to sessions and it's possible to replace it with any implementation you like. That's much better for new developers but it's also sort of re-inventing the wheel because PHP does this already out of the box.
The best thing you can do in an application design is to make the implementation independent from system needs, so to make the storage mechanism of your session data independent from the rest of the program flow. PHP offers this with a pretty direct interface, the $_SESSION array and the session configuration.
As $_SESSION is a superglobal array you might want to prevent your application to access it directly as this would introduce global state. So in a good design you would have an interface to it, to be able to fully abstract away from the superglobal.
Done that, plus abstraction of the store plus configuration (e.g. all in one session dependency container), you should be able to scale and maintain your application well over as many servers as you like for whatever reason. Your implementation then can just use cookies if you think that's it for you. However you will be able to switch to database based session in case you need it - without the need to rewrite large parts of your application.
I'm not 100% confident this is the case but one reason to avoid the built-in $_SESSION mechanism in PHP is if you want to deploy your web application in a high-availability web farm scenario.
Because the default session behavior in PHP is to store session objects in process, in memory, it makes it hard (if not impossible) to have multiple servers processing requests from the same user. You would only have this if you wanted to deploy your web application in a web farm environment where you have a number of PHP web servers processing requests for your app to balance the load.
So, while in-process session state is generally much faster than a database-based solution, the latter is favorable when you need to process a huge number of requests and to service the capacity a web-farm environment is used.
As I said in the beginning, I'm not 100% sure if PHP supports configuring the session state provider to be a database, or session state server, instead of the in-process default.
I need to reliably get the id of a user from the PC using PHP.
I tried using
gethostbyaddr($_SERVER['REMOTE_ADDR']);
but that returns the network name of the pc, not what they actually logged in with.
I then tried
var WshShell = new ActiveXObject('WScript.Network');
document.form1.item('uid').value = WshShell.UserName;
which returned the value I needed, but has inherent issues:
browser security
being able to completely bypass by using browsers other than IE
Is there a way to get the ID that I am just not finding?
Looking at the discussion in the comments, the correct answer is to build a proper, run-off-the-mill login system like millions of sites already employ.
There is no safe mechanism to uniquely identify a PC to a server side application, plus as you say, users could switch machines on a daily basis.
You could set a cookie, but that is laughably trivial to fake.
See e.g. here for some good answers on authentication libraries for PHP.
You can figure out all sort of client-side tricks which will possibly work in some combinations of operating system and browser. But, in the end, everything will be transmitted to the server using good old HTTP. That's all that the server (the only side you have full control on) will receive: a bunch of text. There's no way to tell out whether the request came from your fancy ActiveX or was typed in a telnet command prompt.
Of course, there are ways to authenticate requests. That's one of the usages of cryptography. But, again, all you'll ever know is whether the signature was generated with the appropriate key. You cannot be sure of who the user is or what computer he's using, all you know is that it's someone who got a copy of the key.
Now, it's really complicate to build a login system that does not have its own users. As far as I know, even OpenID-based systems bind remote users to local users. Are you sure it's a requisite?
If you have a single-signon type of system running on Windows Active Directory, consider getting user data via LDAP
I asked a recent question regarding the use of readfile() for remotely executing PHP, but maybe I'd be better off setting out the problem to see if I'm thinking the wrong way about things, so here goes:
I have a PHP website that requires users to login, includes lots of forms, database connections and makes use of $_SESSION variables to keep track of various things
I have a potential client who would like to use the functionality of my website, but on their own server, controlled by them. They would probably want to restyle the website using content and CSS files local to their server, but that's a problem for later
I don't want to show them my PHP code, since that's the value of what I'd be providing.
I had thought to do this with calls to include() from the client's server to mine, which at least keeps variable scope intact, but many sites (and the PHP docs) seem to recommend readfile(), file_get_contents() or similar. Ideally I'd like to have a simple wrapper file on the client's server for each "real" one on my server.
Any suggestions as to how I might accomplish what I need?
Thanks,
ColmF
As suggested, comment posted as an answer & modified a touch
PHP is an interpretive language and as such 'reads' the files and parses them. Yes it can store cached byte code in certain cases but it's not like the higher level languages that compile and work in bytecode. Which means that the php 'compiler' requires your actual source code to work. Check out zend.com/en/products/guard which might do what you want though I believe it means your client has to use the Zend Server.
Failing that sign a contract with the company that includes clauses of not reusing your code / etc etc. That's your best protection in this case. You should also be careful though, if you're using anything under an 'open source' license your entire app may be considered open source and thus this is all moot.
This is not a non-standard practice for many companies. I have produced software I'm particularly proud of and a company wants to use it. As they believe in their own information security for either 'personal' reasons or because they have to comply to a standard such as PCI there are times my application must run in their environments. I have offered my products as 'web services' where they query my servers with data and recieve responses. In that case my source is completely protected as this is no different than any other closed API. In every case I have licensed the copy to the client with provisions that they are not allowed to modify nor distribute it. This is a legal binding contract and completely expected from the clients side of things. Of course there were provisions that I would provide support etc etc but that's neither here nor there.
Short answers:
Legal agreement, likely your best bet from everyone's point of view
Zend guard like product, never used it so I can't vouch for it
Private API but this won't really work for you as the client needs to host it
Good luck!
If they want it wholly contained on their server then your best bet is a legal solution not a technical one.
You license the software to them and you make sure the contract states the intellectual property belongs to you and it cannot be copied/distributed etc without prior permission (obviously you'll need some better legalese than that, but you get the idea).
Rather than remote execution, I suggest you use a PHP source protection system, such as Zend Guard, ionCube or sourceguardian.
http://www.zend.com/en/products/guard/
http://www.ioncube.com/
http://www.sourceguardian.com/
Basically, you're looking for a way to proxy your application out to a remote server (i.e.: your clients). To use something like readfile() on the client's site is fine, but you're still going to need multiple scripts on their end. Basically, readfile scrapes what's available at a particular file path or URL and pipes it to the end user. So if I were to do readfile('google.com'), it would output the source code for Google's homepage.
Assuming you don't just want to have a dummy form on your clients' sites, you're going to need to have some code hanging out on their end. The code is going to have to intercept the form submissions (so you'll need a URL parameter on the page you're scraping with readfile to tell your code that the form submission URL is your client's site and not your own). This page (the form submission handler page) will need to make calls back to your own site. Think something like this:
readfile("https://your.site/whatever?{$_SERVER['QUERY_STRING']}");
Your site is then going to process the response and then pass everything back to your clients' sites.
Hopefully I've gotten you on the right path. Let me know if I was unclear; I realize this is a lot of info.
I think you're going to have a hard time with this unless you want some kind of funny wrapper that does curl type requests to your server. Especially when it comes to handling things like sessions and cookies.
Are you sure a PHP obfuscator wouldn't be sufficient for what you are doing?
Instead of hosting it yourself, why not do what most php applications do and simply distribute the program to your client with an auto-update feature? Hosting it yourself is complicated, from management of websites to who is paying for the hosting.
If you don't want it to be distributed, then find a pre-written license that allows you to do this. If you can't find one then it's time to talk to a lawyer.
You can't stop them from seeing your code. You can make it very hard for them to understand your code, which is a good second best. See our SD PHP Obfuscator for a tool that will scramble the identifiers and the whitespacing in the code, making it much more difficult to understand.
Say I have developed a php webapp and would like to distribute it for others to use as proprietary software. Is there anything I can do short of some sort of licence or just trusting the customer to avoid having to provide a hosted solution? Clearly if I just distribute the application to paying customers to host independently, I run the risk of them leaking the code.
Update:
Some of the responses so far suggest obfuscation. However, this won't prevent another user from simply plopping the leaked obfuscated code onto their servers and reusing it. Granted they won't be able to modify it..but I am looking for something more complete. Any ideas?
Obfuscating it can go a long way. Many users won't try to figure out the logic.
You can also add a registration key -- something that calls the mothership and acts like a dongle.
Edit: What I was going for with the registration: You can sell licenses by the domain, and require users to register their domain at your website after they buy.
One script I bought requires activation at their website. (The script is obfuscated as well.) Don't enter the domain, the software ceases working after a certain period of time. Transfer domains, and the software ceases to work.
I don't know the mechanics but the basic idea is that you want to guarantee that the script is running at the domain the purchaser said it was running at.
Can you elaborate please on the registration key? Will their be some logic in the code preventing it from running unless a valid registration key is obtained from another server?
To do this, you would have to generate a key for the user when they purchased the application. The application would then communicate with a master server which in turn looks up the key and checks the domain the key is coming from and sends back a simple true or false reading. If the response is true, the application would then continue its operation, otherwise it would shutdown.
The only problem with this method is that if your master server were to ever go down, all of your clients would be locked out (unless you created a condition where if the master server was down, the default response would be true).
http://www.google.com/search?q=php+code+obfuscator&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
Have at it...
This obfuscation usually consists of stripping comments and whitespace, base64 encoding, and sometimes other little tricks like completely renaming every variable and such to make it next to impossible to understand by humans
Zend has a product "Zend Guard" (http://shop.zend.com/en/zend-guard.html) that may offer something more than obfuscation.
With its key components of Encoding, Obfuscating and Licensing, Zend Guard protects your PHP applications from reverse engineering, unauthorized customization, unlicensed use and redistribution
There's also ionCube. Generally these solutions require a server side extension to be loaded but most hosts will have them loaded already I find.
ionCube allows you to license to a particular domain if you like, and also allows you to put time limits on the script (to require license renewal).
Although by default ionCube is a system that requires you to actually create the licenses yourself, there is a system that you can buy to automatically manage this stuff for you (I thought it was PHP-Audit, though that site seems to have gone through a redesign and so I can't tell anymore).