CODEWITHSUNDEEP
authenticationmobileqr-code
jeezyfreezy
jeezyfreezy

Reputation: 302

Confirming Source Is From QR Code Scan

I have this project where I need to know if a visitor legitimately arrived from a QR code. Document.referrer value from a QR code shows blank. I have looked at some answers suggesting to put parameter in the query string (e.g. ?source=qr), but anyone could easily add the parameter into the URL and my code would believe it is from a QR code (e.g. www.project.com/check.page?source=qr) . I have thought of adding codes to make sure it is from a mobile phone / tablet as secondary way to authenticate but many browsers have add-ons to fool websites.

Any suggestions would be greatly appreciated.

Thanks in advance.

Upvotes: 6

Views: 2891

Answers (2)

Jorge Cevallos
Jorge Cevallos

Reputation: 3678

I think the best solution for you is creating your regional QR Codes pointing to:

Region 1)  http://example.com/?qr=f61060194c9c6763bb63385782aa216f
Region 2)  http://example.com/?qr=731417b947aa548528344fab8e0f29b6
Region 3)  http://example.com/?qr=df189e7f7c8b89edd05ccc6aec36c36d

if the value of the parameter qr is anything other than f61060194c9c6763bb63385782aa216f, 731417b947aa548528344fab8e0f29b6 or df189e7f7c8b89edd05ccc6aec36c36d, then you can ignore it and assume the user didn't come from any QR Code.

Of course, any user can remove the source parameter. But at least he can't add a valid one, unless he really had access to the code.

Upvotes: 2

Uooo
Uooo

Reputation: 6334

...but anyone could easily add the parameter into the URL and my code would believe it is from a QR code

Well, anyone could also scan the QR code, view the link, and remove the source=qr from it.

Data collection is never 100% reliable. Users can change their browser's user agent, inject cookies with some strange values, open your page through a proxy server, and so on.

You could create your own device or App for scanning the QR-code. If you read the post I've linked, you will see that this is a waste of time and resources.

So, what is left is to make a solution which will work for most of the users. Appending a source=qr parameter to your URL seems to be the simplest solution. You could also link to an entirely different domain and redirect the request, so it would be more fraud-safe. But it will never be 100% accurate.

Upvotes: 0

Related Questions