Just looked in the CFAdmin (CF10) info area, and have noticed the license key is stored in plain text.
Should this be so?
My concern is as a hosting company we have purchased X amount of Enterprise licenses. Some of the servers are hosted as private VPSs, to which we provide admin access (server and CF).
If a customer of ours decided to go to a competitor there is nothing stopping them seeing our license key, copying it and installing CF themselves on a server not managed by us, thus getting a free license - and we would not know.
I really think the license key should be hashed.
Any opinions on this?
That's a good point. Maybe obscure all but the last 4-6 digits (like many merchants do with stored credit card numbers) so companies with multiple licenses can still identify which is on which machine. Want to submit an Enhancement Request to Adobe?
If a ColdFusion keycode has already been used and is registered with Adobe, how could someone take and use it? Doesn't the server send the data to Adobe to verify the code and also verify it hasn't been used already?
I don't think so, at least not for ColdFusion. With the CF10/11 EULAs, you are allowed to use the same license key on multiple servers, as long as only one is a production server (the others would be for development, Q/A, staging, disaster recovery, etc.). There's no way Adobe could monitor that and tell whether a key was being abused or not.