How can I bind a user license to a unique fingerprint in an app running in Docker container?

Question

I'm working on a Python application deployed inside a Docker container, and I need to bind a user's license to a unique fingerprint. The goal is to ensure that each license can only be used by one instance of the application at a time.

However, I cannot use any hardware information (e.g. using lshw) because I’ve noticed that, within a Docker container, hardware-related information can be easily changed by the resource allocator.

What are the best approaches for generating a reliable fingerprint in this context?

Any advice or best practices would be greatly appreciated!

I've thought about solutions like a file-based fingerprint, but still unsure how to make sure this cannot be spoofed.

Answer 1

I might explain how most software works regarding this.

1. When you buy a license, the server generates it, it might eventually store other information, like name, email etc. This license might be a simple UUID stored server-side.

Where randomness/generation isn't very important. Because the way it's generated could always be reproduced, and wouldn't prevent from copying.

2. There's often a "protection" client-side, that consist of sending periodically a request to the server that will reply if the license is valid, or not, and in that case, the software comes back with limited features.

3. You might look at the periodicity of these requests. For instance, if too many requests for the same license occurred in a too short period of time.

You cannot do more than this.

Of course, if the user isn't connected to internet, or denied internet for your software, it won't work. But anyway, you'll never be able to completely protect your software against copying.

Just in case you were thinking about, I wouldn't recommend you to :

• Trying to locate your clients and their associated license : It'd imply your users couldn't use VPN
• Require internet connection : It'd affect user's experience