#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2008
    Posts
    3
    Rep Power
    0

    Automate login with PHP


    Hey guys & gals,

    We have a simple login function up and running on our site, and promote it via laptops as we travel around to tradeshows.

    Is there any way to have the user scan a QR code, and open the website as a logged-in guest user, on their smartphone? This account has no functionality other than to give them access to hidden content that would be unavaliable on the main site, so to them, they aren't really 'logged-in' at all.

    We would need to make sure that guests could only access the guest account through the QR code, and for a certain period of time (1 hour)

    Any advice or pointing in the right direction would be great!
  2. #2
  3. Come play with me!
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,749
    Rep Power
    9397
    A QR code is (can be) just a URL. If you can make a URL that does what you want then you can turn it into a QR code.
  4. #3
  5. Lord of the Dance
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2003
    Posts
    3,535
    Rep Power
    1906
    You can make an url with QR, but it is not restricted to the QR only. Everyone who has the URL can access the site from any browser.

    you could create a url something like this:
    www.domain.com/login?auth=<RANDOM UNIQUE ID>

    And then have a database specifying when the ID expires.

    Where do the user scan the QR from? Does the user have enough time to get access to the QR, scan it and visit the site before one hour has passed?
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2008
    Posts
    3
    Rep Power
    0
    Originally Posted by MrFujin
    You can make an url with QR, but it is not restricted to the QR only. Everyone who has the URL can access the site from any browser.

    you could create a url something like this:
    /login?auth=<RANDOM UNIQUE ID>

    And then have a database specifying when the ID expires.

    Where do the user scan the QR from? Does the user have enough time to get access to the QR, scan it and visit the site before one hour has passed?
    If I understand correctly with the AuthID, I would have to regenerate QR codes every time it expired? Ideally, we would like to not have to do this.

    The user is scanning the QR which is placed on promotional material at our tradeshow booth, which instantly opens and logs them in to the site. We want them only to be able to do this from our tradeshow booth, nowhere else.
  8. #5
  9. Lord of the Dance
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2003
    Posts
    3,535
    Rep Power
    1906
    Originally Posted by turntwo21
    If I understand correctly with the AuthID, I would have to regenerate QR codes every time it expired? Ideally, we would like to not have to do this.

    The user is scanning the QR which is placed on promotional material at our tradeshow booth,
    In this case, the QR should at least be valid for the number of hours you are on the booth. Maybe make i a one-day gran (24 hours)

    Originally Posted by turntwo21
    which instantly opens and logs them in to the site.
    Most program ask if the user want to vist the URL.
    The login part is done by you when they do go to the URL.

    Originally Posted by turntwo21
    We want them only to be able to do this from our tradeshow booth, nowhere else.
    Maybe there are a parameter you can validate to see if the user access the site from a mobile device or not.
    Unfortunately, I dont know how this is doen and how much realiably it will be.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,920
    Rep Power
    1045
    Hi,

    just a short comment, because tasks like this usually run into the same issue:

    Make sure to use a strong random number generator. Do not use built-in functions like rand() or mt_rand(). They're predictable and prone to collisions, which makes them completely unsuitable for authentication.

    If the OpenSSL extension is available on your server, use openssl_random_pseudo_bytes(). If the Mcrypt extension is available, use mcrypt_create_iv(). Otherwise, read directly from /dev/urandom.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo