Clearly this doesn't really prevent creating multiple accounts though, since the user can just clear local storage and register again. So is there some identifier that the widget will have access to that the user cannot change?
I don't think so. You can generate a UID and put it into local storage, but local storage is wiped when iBooks is uninstalled or Safari data is cleared. At the very least, you'd have to allow people to re-establish the link between their device and the game account in case the ID is lost. Similar considerations apply to storing the data in a cookie.
I don't see a way to prevent the multiple account creation issue either.
You'd stand a chance of this type of scheme working if you simply relied on a logon off of your own servers (#2 above?) - this would aid the user that wants to retain certain info across multiple/new devices as well. If security is a need at all, there's not much you can do globally except to try making an app instead
I woudn't rely on localStorage for anything beyond session, tho.
K T wrote:
You'd stand a chance of this type of scheme working if you simply relied on a logon off of your own servers (#2 above?) - this would aid the user that wants to retain certain info across multiple/new devices as well.
The problem with this approach is that it allows anyone with the username/password to get access, not just people who have bought the book.
Yeah the main issue is just that anyone who has bought the book would be able to create an unlimited number of free accounts for the game, which is also going to be sold separately. So if there is no way to tie a game account to a book purchase, we may have to re-think this setup.
And unfortunately my company is very set on doing an iBook, so... yeah
Anyway, thanks for the help guys. I'll have to think on this more.
There are also privacy concerns: as soon as each purchase has a unique ID that differs for each copy, that now makes it theoretically possible to trace the movement of each purchase across devices. Even if the ID could not be associated with a particular account, there would probably still be objections on privacy grounds.
One option that might work: require purchasers to send in a copy of the purchase receipt in order to get their account. Not exactly elegant, work-intensive, and still subject to fraud though…
Thanks for the suggestion about the receipt, we may have to do that. I was hoping that it might be possible to validate the receipt and then use the order # as my unique id, but it seems that receipt validation is only for in-app purchases. (Which seems to suggest that doing the book as an app really is the right way to go).
Ah well, it may be that I'm more worried about security than I should be. The game is educational, not Diablo III or anything so the number of people wanting to get it for free is probably fairly low