A client of mine is holding a conference and we have the task of creating a booking system for them. However they have requested that we use QR codes so that on the door, a person can simply present their QR code, be scanned, and boom! they are signed in.
This isn’t so much of a problem because I thought well I could use a long URL to connect to our DB and sign the person in, mark them as booked in/confirmed, and be done with it.
That’s all very easy, the problem is then that what if the person scan’s the QR code themselves? How do ensure that, only the people who are on the door of the conference have the power to scan the barcodes and sign people in?
I am limited really to php / jquery, if I knew XCODE I would write an App but I don’t.
Thoughts I had:
-
Get the IP of the local WIFI, and only accept requests from that (however that does not stop the public from signing in)
-
Use some variable in $_SERVER[] that I could map as coming from a certain person’s phone only.
You shouldn’t put an URL in the QR code. It should only contain an ID that is represents their ticket. Then when you scan the persons QR code at the door, you check if that ID is valid and let them enter if it is.
Assuming your ID is sufficiently large, this would be near impossible to abuse.
You need a piece of information that can only be got obtained the door.
Three ideas:
- Have a sign-in QR code at the door (can be a universal one for everyone). When that URL is visited, set a cookie on their device which you then require before accepting the second, personalized URL. This has the problem of the QR code being shared with others once it’s posted at the door.
- Only give them half the QR code, and keep the other half at the door. You’d need to keep a different half for each attendee though
- After they sign in with their own QR, generate another one on a secured machine at the door, which they have to scan to complete the sign-in
You could link to a URL like http://localhost/... and have the machine that is scanning at the door also be the one that hosts the server for this.
This server would be a thin one, all it would need to do is do you db updating.
3
Have the person scanning the codes visit some other page, with some other long url. On that page place a specific cookie. Then, accept confirmation coming only from users with that cookie.