Lintz

After a user installs my app they need to login to my site and register their copy. They enter an "ID" number then click a button to generate a registration key based on the ID the user has entered.

My question is: What is the best way to do the necessary calculation to gererate the registration key without the user being able to view the code for calculating the key. eg. Clicking View --> Source in IE.

Thanks.

Random

Well, if the user is going to submit something to your webpage, it will be useless unless it goes to your server for either storage or processing.

A server-side script, such as PHP, ASP, etc. can process the ID given, and spit out a registration code for you. Then, the server will put together the HTML page that the user will see, and sends that to the user. No server-side code ever gets exposed to the user, provided you don't make a stupid mistake.

Other than the use of JavaScript (which I believe would be just stupid), that is the only option available to you.

Of course, if you want to use JavaScript to do this, go for your life. The problem there is that people can view the source.

PWNettle

To elaborate or restate. As Random indicated it's most likely that your registration stuff is being handled server-side by something like asp, php, etc.

A person who views source would be seeing the html source that was created by your server-side technology (asp, php). Usually it's exceptionally difficult/impossible to view the source for the actualy asp/php/whatever. And you could go one step further (with asp/asp.net) at least and use a compiled component to do the registration logic and tap into that component from your asp - so that even if they did get the source for your server-side script they surely wouldn't be able to get at the component source (unless you have a horrifically compromised web server setup - and you'd have to go way out of your way to make yourself THAT unsecure).

Also, it's most likely that your registration stuff is stored somehow - like in a database, file, or something. I'd imagine you keep track of this stuff over time. These types of resources are also usually "hidden" from prying internet eyes, adding another layer of protection.

Paul

Lintz

Thanks for the reply. As i'm new to PHP and MYSQL could someone reply to see if i'm on the right track.

After the user enters their "ID" they press a button called Generate. I then call another PHP page which contains the code for calculating the registration key and once the calculation is complete display the result?

The registration key is then saved into MYSQL database I've got set up.

PWNettle

My comment would be that in pretty much every sign-up or registration type of scenario I've encountered in recent internet history usually the way it's done is that you submit some info about yourself or some identifying factor for a product, account, or whatever, and then the registration process sends whatever you need (registration info in your case) via email, rather than displaying it.

I'm no hacker and I'm not overly familiar with all of their ways but I think there's ways people could abuse, hack, or spoof your registration process to attempt to get registered. The email thing seems to be a good way to avoid a lot of potential problems.

So, while your setup will be somewhat secure and will hide the details of the registration implementation it could still be somewhat insecure. Depending on the nature of your website and how truly secure you want it to be you might consider emailing your computed registration info rather than displaying it.

Paul

Lintz

Thanks Paul. I'll look into that option. I already have users email addresses in my database from when they signed up so I can easily email them the registration key.

Random

Thank you.