* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!


» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)


Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

License page hit, but no payment

I had a hit on my app's license page (where the user gets their paid code) on the 5th of January, but I've had no payments since that date (it's two days later now).  The page opens automatically by PayPal immediately after checkout, so I don't understand what's going on.  The hit was generated from Hawaii USA, and my last payment was from Florida USA in December.  Any ideas?
PSB136 Send private email
Thursday, January 07, 2016
Does this page have an obvious URL that could have been guessed. A common flow of a ISV website might start at:

and this is re-directed to either:

Quite often the 'orderconfirmed' page contains a license code. Maybe someone was just guessing and trying to find a code on your website?
Adrian Lock Send private email
Thursday, January 07, 2016
Someone could have booked mark the page thinking they could go back to it to get their code if they forgot.

If you don't currently have it explicitly stated you need to have text stating that users should write, copy, save the code somewhere.
TrippinOnIT Send private email
Thursday, January 07, 2016
Your thank you page should check if the proper session variables are set, and redirect back to the main page if not. These are set during checkout.

Also, don't put anything important on that page, cause there's always a chance it will be hacked or accessed without auth. Instead, have a message saying "thank you, your license is on its way", and send the license via email.

Also be sure to put a <meta name='robots' content='noindex'/> in the header (and check, if search engines have already indexed it, have it removed from their index).
Calvert Send private email
Thursday, January 07, 2016
I didn't consider that it may have been bookmarked.  Indeed, one buyer was from Hawaii a while ago, but I did email him his permanent license code previously.

As for the page that got the hit: it's not easily guessed (it has an 8-digit random sequence in it), and it's disallowed by both "robots.txt" and these headers:

<meta name="robots" content="noarchive">
<meta name="robots" content="noindex">
<meta name="googlebot" content="noarchive">
<meta name="googlebot" content="noindex">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">

So I think a bookmark must be the answer.  Thanks for the heads-up on that, I should probably change it to mention NOT to bookmark it as it won't exist in future.
PSB136 Send private email
Friday, January 08, 2016
Interesting glad you got it fixed, at first I was thinking someone shared your licensing page and bypassing your payment, hoping they could get lucky and not have to pay for the license.

In any case it's easy for you to remove their license if they aren't willing to pay for your software.
Joonomy Send private email
Thursday, February 04, 2016
Someone could thereotically share the URL of that license page, but the code there is a temp license anyway that expires after a while.  So anyone who gets it without paying will just get free use of the app until the timeout.

I could always change the URL of the page too (and point PayPal to the new URL) periodically, maybe every month or so, so that it becomes a 404 for anyone who tries to reach it.
PSB136 Send private email
Thursday, February 04, 2016

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz