1

I would like to make an order-system with QR-Codes which is online.

How I imagine it to work:
 A customer visits a restaurant. There is a QR-Code on his table which takes him to a public webpage where he can order the stuff he wants.

So my question is:
 How can I check if the person ordering, is actually sitting in the restaurant without using the phone's GPS location?

My thirst thoughts about this where to use a key printed underneath the QR-Code but the person ordering could just use this key at home if he would just take a photo of the QR-Code.

Hope you understand what I mean with this and could help me out :)

Glorfindel
  • 3,137
  • 6
  • 25
  • 33
rbnpts
  • 19
  • 1
  • As far as geolocation itself is concerned, I don't believe there are any miracle solutions. You could use the GPS-capability of the device, but it of course means you must trust the client (and that you can't support non-GPS-capable devices). Geolocation by IP is not precise and reliable enough. You might want to revisit your design. If your system can be installed on premise, then you could assume the customer is physically present if they are on the restaurant's network. Otherwise, you could imagine that a waiter must first authorize the customers before ordering. – Vincent Savard Oct 29 '21 at 13:58

2 Answers2

2

How can I check if the person ordering, is actually sitting in the restaurant without using the phones GPS location?

That depends entirely on why you care.

Is this a security concern? Is it a threat to your business model if I start ordering while waiting in line? In the parking lot? Without knowing why you care no one can design an effective system. We can't tell if this is a security issue, a marking issue, or just a bad idea.

Printed QR-Codes are static. The advantage they give over a printed URL is only that the user doesn't have to type. They offer nothing in the way of copy protection.

Add a dynamic element and you can make old ones invalid. This could be done by displaying the QR-Codes on a screen, challenging users for a "color of the day" code that the restaurant displays and changes randomly, or mounting something like RSA SecurID Hardware Tokens on the tables.

None of these, on their own, go as far as requiring users to create an account. And that limits the security offered here. Without a clear explanation of why you care where they are, it's really hard to say if any of these ideas are secure enough.

To see this dynamic idea developed seriously check out Time-based One-Time Password.

candied_orange
  • 102,279
  • 24
  • 197
  • 315
0

If you have a computer or a website displaying a QR code, then the QR code can contain the current date and time, changed every 10 seconds. And you don’t accept a qr code more than ten second old. Or maybe 20 seconds to allow for the use to scan a QR code just before it changes, and sending a message with the maximum possible delay.

For an iOS app, you could rely on a geotag, that may be possible for Android apps as well. But using GPS location would be the easiest method.

gnasher729
  • 42,090
  • 4
  • 59
  • 119