Lets say we have a web application which is going to be both

• A hosted solution available for access over the Internet
• Able to be locally installed to be used as an "Intranet" application

What would be the best way to enforce licensing for this web application, essentially making it easy to turn on/off access for clients. I was thinking the flow would be something like:

Clients install locally ---> Authorize with central server ---> Allow/ Deny access

Also, I want to be able to make sure that we can offer Free Trials, essentially turning on and off certain features of the application. We also have to consider what happens if we ever "go out of business".

You have the correct idea,

use your central server (this can be your hosted solution),

if your building a licence checker on your hosted (external) solution you could just add a web request that requires a cryptographic post of the licence key, E.G

Request to {domain}

https://{domain}.{tdl}/licenceValid/internal

Post querystring

licenceCrypt={licenceKey(though SHA1)}&companyId={company_id}

Do your checks then return a string JSON and once you have a plain text version working you can then introduce cryptography so your not sending plain text though the internet

Succsess : {'status':'OK','expire':'20/07/2012 00:00:00', 'check':'18/07/2012 00:00:00'}
Fail     : {'status':'FAIL','Message':'Licence has expired'}

Then with this information cache that result. Then you can load this information from a file and check the check value if the date is less than that current date. Download again however if this fails and the licence has not expired keep letting them use application but show a notice telling them licence validation has had an error. The licence is to expire on {date} should the licence expire from cached date block the application tell them they need to check there servers connection to the internet and if that does not work phone you.

If all else fails with them you could then pop in with a pen drive that had a little application on it to update there cache file with there new licence details so they can use the software again, now for the cache I would recommend you use a 2 way encryption E.G base64 however I would recommend one a little stronger

Then your hosted solution can just load in the class and check the licence for the requested version without any post or if you wanted to separate the Hosted application and the licence server you could implement the same checking on the local copy so you don't have 2 different code bases

Notes: You dont have to send though a companyId you could just search your database by using the SHA1 function of your DB and doing a direct lookup check to get the expire and stuff

Secure Data: if you implementing a secure application as in it holds data that can't be exposed for some reason to reduce hacking make the licence system on a different port and in the server setup allow it to only establish conections on that port from an external call first a linux routing box would be ideal for this as iptables can do this quite simply i'm not sure how easy it is to setup on windows

Update: Securing the licence from nulling

Another feature you could implement to prevent people "nulling" your licence and does not require any local changes is on the Licence server validate there host name so when a licence key is used for the first time it save's the host name to the database against the licence key if another request comes in from a different host name tell them they have to contact you re-enable there licence as there host name has changed most companies should be running a static IP Address so they will always have a static host name even if it there ISP host name

This still does not stop experienced people and they could bypass all they require is loop back hack to prevent your application talking to your servers then they would have to set-up a dummy server on there loop back to respond with false information

The Extra Mile

You could prevent this by making the Licence System a C# Library and the application downloads the new version unloads the existing assembly and loads in the new DLL Assembly you just have to make sure you don't change the name of your public methods then you can add more security without breaking the server or a full client side update, with this you could also use some form of AES or Certificate Based Encryption on communications and you compile the certificate into the DLL using Embedded Resources.

With the above you could even go one better and make a new Certificate for every licence key and this should make "nulling" extremely difficult*

Just as another not for the * this would require the server to compile the DLL I would highly recommend you don't do this on a hosting server as it will use a lot of memory and CPU power to minimize this use MSBuild and keep all the compile data so the only thing your changing is the Certificate should mean it keeps the .pdb files and should compile a lot quicker