2

All, I'm going to use a QR code from the following URL: http://qrcode.kaywa.com/

I want to use the URL option so when someone scans it they are sent to the URL that I specified on the code. I want to have something like the following URL: http://www.website.com/web-page/?type=uplights&action=checkout

Based on the variables in the URL I want to allow my user to insert some data.

Is there a way to secure this do that I know a user got to this URL from scanning the QR code instead of just typing that information into the URL?

Thanks!

user1048676
  • 9,756
  • 26
  • 83
  • 120

2 Answers2

5

Short Answer: Not directly. QR codes were not designed to keep content stored within it secret. Someone could use a QR reader to scan your URL, store it and keep using it over and over again, without actually scanning it again.

One way we used to circumvent this issue was to encrypt our URL such that our own application (Based on ZXing) would be the only one capable of reading our QR code. It then sends the actual request with a nonce over a secure channel such that a replay attack would also be rendered useless (in case someone was sniffing outbound connections). All other readers see the encrypted URL which isn't of any use.

Other than that, there isn't another way of ensuring the user actually does scan your QR and doesn't type it out/paste it in.

The way we implemented this:
We stored the URL as http://www.website.com/app.php?<encrypted_string>. If someone read our URL a different QR decoder, they would be taken to our app.php page, which urged them to read the QR using our application.

Our app itself, on encountering that URL stripped off the encrypted query-string, decrypted it, and formed its own request to the right page. In PHP, you could execute that request at the server-end itself, so it is never visible to the user. You could use mcrypt as detailed here for encryption.

Community
  • 1
  • 1
Anirudh Ramanathan
  • 46,179
  • 22
  • 132
  • 191
  • Thanks for the information. How did you go about encrypting the URL (never heard of ZXing) so that your application was the only one able to read it? – user1048676 Aug 01 '12 at 03:50
  • Thanks. I'll take a look at that. Did your application read the code? I wouldn't have my own appliction and would use the standard QR reader to read the code. Would that still work based on your suggestion? – user1048676 Aug 01 '12 at 04:06
  • No.if you are not limiting the user to your application only, the above wouldn't work. The user can save the URL using some reader and execute it over and over again. In that case, your best bet is Captcha in the form you are redirecting him to. – Anirudh Ramanathan Aug 01 '12 at 04:09
4

You can add a secret-ish parameter to the URL and not publish the URL with that parameter. But basically, no, you still won't know if someone didn't just type in that URL. (For example, I may have used the QR code, then cut and paste the URL in an email to a friend, and that friend may have typed it in.) But you'll know that they probably didn't just type it in.

QR codes are just easily reversible encodings for text. There's no magic there. So there are things you can do to make it less likely that someone typed in the URL, but you can never be certain.

Trott
  • 66,479
  • 23
  • 173
  • 212