asp.net

Aug 7, 2008 at 6:48 PM
Hello,

can I use this api into an asp.net project?

Thanks
Coordinator
Aug 12, 2008 at 12:17 PM

Hi,

The answer is a bit complex and here is the reason for it:
IsValid() Function calls the GetComputerId() that seeks for the Network Interface Hardware ID of the executing computer (i.e. - the Web Server). That means that a license will be checked vs. the server - which causes a hugh security hole - every logged-in user will be able to execute the software.

That can be fixed by replacing the computerId in the user credentials. This is done in the following manner:

  1. In the dotNet.ASP solution Add the LicenserApi.csproj Project as a secondary project. 
  2. Edit the Logic.cs file, Add a reference to System.Web namespace
  3. At the top of file, bellow #using System.Security.Cryptography add #using System.Web
  4. Add a method name GetComputerID(HttpRequest request) with the following code:

        public static string GetComputerID(HttpRequest request)
        {
            return request.LogonUserIdentify.User.ToString();
        }
    5.    Replace the line:
                    public bool IsValid(string licensePath, string featureName, string passCode, bool bThrow)
            with the following line
                    public bool IsValid(string licensePath, string featureName, string passCode, bool bThrow, HttpRequest request)
             then, replace the line
                    licenseInformation.computerID = Logic.GetComputerId();
             with the line
                    licenseInformation.computerID = Logic.GetComputerId(request);
    6.    Next, at your Asp.Net page, Add a reference to the licenserApi.
    7.    Protect your page so the user needs to login into the ASP.Net Web page
    8.     Make a call to the modified LicenserAPI.Logic.IsValid() with the Page.Request object as the Last argument

Another Application that should be written is a one (used by the person who produces the licenses) that creates the user-sid string. This string should be put in the ComputerId field of the license. This can be made as shown in the following console application example:

using System;
using System.Security.Principal;

class WindowsIdentityMembers
{
    [STAThread]
    static void Main(string[] args)
    {
        Console.Write("Enter Account: username@server.domaim: ");
        string account = Console.ReadLn();
        WindowsIdentity wi = new WindowsIdentity(account);
        WindowsImpersonationContext ctx = null;
        try 
        {
               ctx = wi.Impersonate();
               Console.WriteLn(Account SID: " + wi.User.ToString();
        }
        catch()
        {
            Console.WriteLn("Error in account name - Exiting...");
        }
        finally
        {
            ctx.Undo();
        }
    }
}

Good luck,
-- Eyal.
 

Aug 12, 2008 at 1:10 PM
Thanks Eyal,

I need a method like GetComputerID but on a web application. I can't use the login user to do it.

Any idea?

Coordinator
Aug 17, 2008 at 9:56 AM
Edited Aug 17, 2008 at 10:15 AM

Hi Adiazcan,

Again, from the security perspective, the best way for a web-based identification is by logged-in user and not by his computer. That is because users are working the web from anywhere and not from a particular computer, and also because the application is running on a server and not on the client machine. The solution I'd put in the last discussion item enables writing a Web-Based licensing (as long as the web-site serves subscribed users - i.e. users with accounts).

However, if you still need a non-standard solution here is what you can do.
The basic idea is to encode the host name, and write it in the license in the computerId field.
Then, to make GetComputerId to encode the requester host in the same manner and to compare it with the license.

Here is an example of encoding the userId:

  1. Create a Project named Test1
  2. Prepare a dialog box with a TextBox1, and an empty Label named lblHostName, a button named btnEncode and a button named btnExit.
  3. Replace the Form1 class content with the following code:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using System.Net;
using System.Security.Cryptography;

namespace Test1
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
            lblHostName.Text = Dns.GetHostName();
        }

        private void btnExit_Click(object sender, EventArgs e)
        {
            Application.Exit();
        }

        private void btnEncode_Click(object sender, EventArgs e)
        {
            const string numDesc = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
            textBox1.Text = "";
            SHA1 sha = new SHA1CryptoServiceProvider();
            byte [] decoded = System.Text.ASCIIEncoding.ASCII.GetBytes(lblHostName.Text);
            byte[] encoded = sha.ComputeHash(decoded);
            int i = 0;
            foreach (byte digit in encoded)
            {
                int d = (int)digit;

                byte b1 = (byte)((d & 240) / 16);
                byte b2 = (byte)(d & 15);

                char c = numDesc[b1+b2];
                string s = c.ToString();
                textBox1.Text += s;

                i++;
                if (i % 5 == 0 && i != encoded.Length)
                {
                    textBox1.Text += "-";
                }
            }
        }
    }
}

 

An application similar to the example should be downloaded to the customer that will e-mail his encoded computer-id to the application provider. The encoded computer-id will be inserted into the license. The Web-Application will call a GetComputerId with the
Page.Request.UserHostName attribute. That routine will be written exactly as the btnEncodeClick and will convert the Page.Request.UserHostName to it's encoded computer-id

Eyal

 

 

 

Jan 10, 2010 at 5:44 PM

Hi,

 

I'm also interested in protecting asp.net web applications or web sites but i think at this aproach: a way to bind the key to a given aproved url: for example for the key abc-def-...-xyz , I have to allow only an web application that runs at www.allowed-domain-name.com Is this possible this approach? And if, where to store the key in the application? (I hope that my scenario is enough clear: I want to bind the web app or web site that I made for custommer to a given url that I allow. If the custommer try to deploy the web app or web site to another url, the app must react in a given way (for example redirecting to a message page, and of course notify this to my licensing server))

 

thnx,

 

Laurentiu