authentication system

[drtrann]

so I've made an application that I hope to distribute, but I'm a little concerned that 1 guy will buy it, and start spreading it across the interwebs so i've started to do some reasearch on authentication systems.

as of right now I have a mysql database setup and have a rough idea of how to properly get it to work, but my major questions are more to do with strategy of implementation.

right now I'm trying to figure out how to properly properly make sure the person isnt just passing the login information with the file (IE close the app if multiple people are logged in with the same creds).

crash/sudden disconnect protection: basically make sure that if somone's computer/program crashes and the disconnect code wasnt able to execute that it doesnt lock out legitimate users.

im sure there are a lot of important things im missing, have never messed with any sort of authentication system and hope to do proper research before I tackle something entirely new

Edited December 12, 2012 by drtrann

[water]

There are a few scripts around that try to do what you need. One of them is

[drtrann]

There are a few scripts around that try to do what you need. One of them is

yeah i saw that, my only take away is that xprotec seems overly complicated for what i need. what im thinking is just having it so 2 unique hardware ID's can work under a given username (person's email) if they attempt to login login with a different hardware ID it tosses an error and they cant run the application. this way i wont need to worry about if the program crashed/ open connections/locked accounts.

I know system ID's can be spoofed, but im hoping this will at least deter the copy pasters who wouldnt know/care enough to spoof hardware IDs

now given the above, is there anything glaringly obvious that im missing?

Edited December 12, 2012 by drtrann

[water]

Have a look at this

[Phaser]

I had the same issue, what I do is use a mysql db for the login details BUT I also do 2 other things, I send the user a test file which gets me the hard drive id number which I tell the script to check, I also put a blank php file on the server, I check the file exists via the script too, that way it will only work on ONE machine, delete the file and it stops working.

[drtrann]

thank you for the hardware ID information.

now comes the actual coding questions.

I need my code to be able to assign the hardware ID's the user's row in the database, but to do that it would need edit access to the database, now im very very very much against hardcoding that in somewhere in the program. is there another way to do this that doesnt put my database at risk. (in that PHP link you gave me water they do this with the PHP file, but there they hardcore in the username/password which would make it even easier to find (they would just have to view the php file)). maybe i just dont understand how PHP works, but hardcoding in the access information for a database seems like a really bad idea

[JohnOne]

You cannot view/download a php file from clientside.

[drtrann]

You cannot view/download a php file from clientside.

ah well that puts me a bit as ease