RSS Feed

* The Business of Software

I had a hit on my app's license page (where the user gets their paid code) on the 5th of January, but I've had no payments since that date (it's two days later now).  The page opens automatically by PayPal immediately after checkout, so I don't understand what's going on.  The hit was generated from Hawaii USA, and my last payment was from Florida USA in December.  Any ideas?

Does this page have an obvious URL that could have been guessed. A common flow of a ISV website might start at:
https://mywebsite.com/confirmorder/

and this is re-directed to either:
https://mywebsite.com/orderconfirmed/
or
https://mywebsite.com/orderrejected/

Quite often the 'orderconfirmed' page contains a license code. Maybe someone was just guessing and trying to find a code on your website?

Someone could have booked mark the page thinking they could go back to it to get their code if they forgot.

If you don't currently have it explicitly stated you need to have text stating that users should write, copy, save the code somewhere.

Your thank you page should check if the proper session variables are set, and redirect back to the main page if not. These are set during checkout.

Also, don't put anything important on that page, cause there's always a chance it will be hacked or accessed without auth. Instead, have a message saying "thank you, your license is on its way", and send the license via email.

Also be sure to put a <meta name='robots' content='noindex'/> in the header (and check, if search engines have already indexed it, have it removed from their index).

I didn't consider that it may have been bookmarked.  Indeed, one buyer was from Hawaii a while ago, but I did email him his permanent license code previously.

As for the page that got the hit: it's not easily guessed (it has an 8-digit random sequence in it), and it's disallowed by both "robots.txt" and these headers:

<meta name="robots" content="noarchive">
<meta name="robots" content="noindex">
<meta name="googlebot" content="noarchive">
<meta name="googlebot" content="noindex">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">

So I think a bookmark must be the answer.  Thanks for the heads-up on that, I should probably change it to mention NOT to bookmark it as it won't exist in future.

Interesting glad you got it fixed, at first I was thinking someone shared your licensing page and bypassing your payment, hoping they could get lucky and not have to pay for the license.

In any case it's easy for you to remove their license if they aren't willing to pay for your software.

Someone could thereotically share the URL of that license page, but the code there is a temp license anyway that expires after a while.  So anyone who gets it without paying will just get free use of the app until the timeout.

I could always change the URL of the page too (and point PayPal to the new URL) periodically, maybe every month or so, so that it becomes a 404 for anyone who tries to reach it.