Talk about QR Code Login



This article mainly studies the related scene and principle of two-dimensional code login.


The main scenes are as follows:

  • App scan QR code login pc version system

For example, WeChat web Edition will automatically log in to the Web Edition after scanning the two-dimensional code for confirmation on the premise of WeChat login at the mobile terminal. App here can be divided into two categories, one is its own app and the other is the app of a third party.

His own app has its own authentication system, and completes the scanning login on the pc side under the premise of login.
Third-party app scans login scenarios, such as using WeChat APP on the mobile phone to scan and log into the PC system. In this case, the oauth system of WeChat is generally used, and the server completes the binding between its own account system and WeChat account, and then realizes automatic login on the PC side

  • App Scanning Two-Dimensional Code as Two-Factor Verification

For example, WeChat public number platform scans the two-dimensional code to reconfirm and log in to the web page version under the condition that the account password logs in to the PC side and then logs in using WeChat on the mobile phone side.

  • Secure QR Login (SQRL)

Log in completely using QR code instead of user password. This has SQRL protocol and related implementations.


All of the following are based on this premise, that is, the mobile phone app has already logged in, with its own login credentials, and then it will scan the system logged in to the pc side.

  • Open the pc to display login QR code (On the premise that the pc side is not logged in)

At this time, request the server to generate a login QR code
The server generates a two-dimensional code that contains the unique identifier of the pc, such as sessionId, or a newly generated uuid is associated with the sessionId

  • The pc side turns on polling (There are other implementations such as long connections, which are described here in a polling manner.)

After acquiring the two-dimensional code, the pc starts regular polling to poll the two-dimensional code’s status, mainly including the following statuses: new, scanned, confirmed, reused, expired

  • The mobile terminal scans the two-dimensional code

When the mobile phone terminal is already logged in, scan the webpage two-dimensional code, the two-dimensional code status changes to scanned, and then the mobile phone terminal jumps to the confirmation page

  • Mobile phone confirmation

After the mobile phone scans the two-dimensional code, click OK, and the two-dimensional code status changes to OK.

  • Pc side jump succeeded/QR code expired/rejected

After the status of the two-dimensional code changes to confirmation, jump to automatic login to complete the establishment of the login status at the PC end.
If the app side rejects this request, the two-dimensional code status will be rejected and polling will no longer be conducted.
If the status of the two-dimensional code has not changed for a certain period of time, it will show that the two-dimensional code has expired and will not be polled any more.

PC client

  • Request to login to QR code
  • Polling QR code status
  • Jump to the landing page

Mobile client

  • Scan login QR code
  • Confirm login

Server side

  • Generating a login two-dimensional code and binding the two-dimensional code with a pc client
  • Processing QR Code Polling
  • Processing Mobile Phone End Scanning Two-dimensional Code
  • Processing the confirmation of two-dimensional code login by the mobile phone end
  • Processing pc side automatic login


How does the PC automatically log in

This problem is equivalent toMultiple devices with the same account login at the same timeThe problem of

After the QR code is scanned and confirmed by the app terminal with login status, how can the PC terminal complete automatic login? There are several schemes as follows:

  • Session copy

In fact, on the basis of the original login authentication logic based on account password, new support is added for login without account password. It is equivalent to bypass that password base on the user name and reset a login state internally
If it is session-based authentication, it is equivalent to copying information to another new session based on the original authenticated session and associating it at the server side.

  • Reuse existing token

If the authentication is based on the token, one scheme is to reuse the token so that the pc side also reuses the token on the app side of the mobile phone. This has the advantage that the original authentication logic based on the token does not need to be changed.

  • Following oauth Authorization to Issue New token

The whole process is actually a bit like oauth. The pc end is the client, the server end is the resource and authentication center, and the mobile end is the user with login status. The mobile terminal scans the two-dimensional code, and then the user confirms the authorization. The server terminal issues a token to the pc terminal, and then the pc terminal can access the resources of the server terminal. This token check, which supports another type of oauth based on the original authentication, seems a bit complicated.
Another variation is the newly issued token, but there is an association mapping with the token on the app side. when the token is finally authenticated, the original authorized token is also found for authentication. this has the advantage that the original token is invalid, and the token authorized by it is also invalid.

Two-dimensional code expired

One is to expire based on redis, the other is to use the database but set expired time to judge

Security issue

QRLJacking is the full name of quickresponse code logging, which is a kind of session hijacking.


How exactly is the hijacking done? Suppose the attacker disguises the web login QR code as a public number QR code and lets the user scan it. If the user accidentally clicks on the confirmation, the attacker can log in to the user’s web system, or use the token/session to steal the user’s relevant information or do relevant operations.

To guard against

  • Two-dimensional code timeout mechanism

Adding timeout mechanism to QR code will make it more difficult for attackers to attack, but attackers may also use scripts to refresh QR code automatically.

  • Confirmation mechanism

Two-dimensional code scanning must have this confirmation page, which clearly tells the user what to do. Assuming that this link is not confirmed, it is extremely gullible. In addition, after the two-dimensional code scan is confirmed, a login reminder notice is sent to the user app or mobile phone, etc., informing the user that if he/she is not logged in, it is recommended that the user change the password immediately.

  • Sound-based Authentication

The confirmation phase is changed to bilateral voice confirmation instead of a simple user clicking the confirmation button. Voice is encrypted and generated according to user id, two-dimensional code id, etc. It is played on app side, and then the whole login process can be completed after pc side voice recognition. This can effectively prevent long-range attacks. In the same way, it is also ok to change the voice to one time password, which increases the complexity of the confirmation process and the difficulty of the attack.


Two-dimensional code scanning login is a very popular function, which requires not only the system to be improved, but also the security against potential attacks caused by this form of login.