5.5. Restrictions

The following shows the Restrictions tab of the Project Settings dialog:

Encoded files can be encoded with protection against being replaced by unauthorised files (include file protection), and with the Pro and Cerberus Encoder, files can be restricted only to work on particular machines or to stop working beyond a certain time. These are file based restrictions that are stored in the files themselves. Files can be configured instead to require a license file containing restrictions, and depending on how the encoded files are to be used, license based restrictions may be preferable to restricting the actual encoded files themselves. See the License Creation section for more details of license file based restrictions.

Server restrictions

The Server Restrictions settings are available if the Pro or Cerberus ionCube PHP Encoder is installed. The rows of the restrictions grid contain restrictions based on Domain name, IP address, and with Cerberus, also MAC address. Which fields are completed is optional, so for example, you could restrict files based on a domain name and an IP address, only a domain name, or only an IP address. All restrictions on a particular row must be met.

More than one restriction can be added, and a file is permitted to run if any restriction row completely matches.

Multiple values can be entered for the Domain name and IP address, separated by commas (with no spaces). See the User Guide PDF documentation of the --allowed-server command line option for a full discussion of the syntax that can be accepted for domain names and IP addresses.

File expiry

A time restriction may also be set for encoded files, with a file ceasing to work beyond either a chosen date or a period of time after a file was encoded.

Include file protection

It may be a security problem for unauthorised files to include encoded files, and conversely it may be undesirable for an encoded file to include an encoded file. Indeed, a malicious user may attempt to replace certain files with their own files. For this reason the option exists to specify an include key. If this option is set then encoded files with a given include key can only include and be included by files that have the same include key. A random include key can be created by clicking on the Generate random key button.

PHP has the ability to set a script that should be executed before every other script is run, and a script that should be executed after every other script. These settings are controlled with the auto_prepend_file and auto_append_file php.ini settings. As with include files, this may be a security risk, so the option exists to abort execution if these php.ini options are enabled. On the other hand, users may have a legitimate reason for enabling these php.ini settings, and so the Encoder option to disallow prepend and append files is disabled by default.

License file

Selecting Encoded files require a license file enables license file based restrictions. See the License Creation section for information about creating license files.

There are two methods to validate a license; automatic or script based. Automatic checking is the simplest as it is performed by the Loader before processing each encoded file, and the Loader will halt execution if a license is not found or is invalid.

The second approach is to use the Loader API (see the Encoder User Guide PDF) to validate the license within PHP script itself. This can be useful if a more complicated license system is to be implemented or some functionality is still required even if a license is invalid. Script based checking can be selected by unchecking Automatic checking of license restrictions. Although the Loader will check that a license file is present, it is very important to note that the Loader will not validate the license in any way unless requested to do so by calling a Loader API function. How a script behaves if a license is invalid is entirely up to the developer. License checking should be performed somewhere in every script that needs to be protected, and include attack protection may be useful to prevent removal of the license checking code.

The Name of license file field should be set to be the name of the license file, e.g. license.txt. This can also be a relative path if the license file will be located in a sub-directory in the project. When opening a script, the Loader will search for the license by 'moving up' directories, and appending the license name to the directory at each step. It is suggested to give the license file a name unique to your application, and ensure that the license is placed in the top level directory of the PHP application.

The License passphrase should be a key unique to the PHP application being encoded, for example the name of the application. Although licenses created with Encoders owned by different ionCube customers will be incompatible, license files created by the same Encoder and having the same passphrase will be interchangeable. For this reason it is important that a unique passphrase is used for each distinct product that is encoded.