Kiosk Browser Authentication

TL;DR

This guide shows how to authenticate a browser acting as a kiosk from another browser (e.g., an admin interface). We’ll use cookies and a simple server-side check to verify the connection.

Steps

1. Set up a Server-Side Component
• You’ll need a server (Node.js, Python/Flask, PHP, etc.) to handle authentication requests and cookie management. This example uses Node.js with Express.
• Install necessary packages:

  npm install express cookie-parser

• Create an endpoint for kiosk registration. This will generate a unique token (e.g., a UUID) and store it, associated with the kiosk’s identifier (if any).
• Create an endpoint to validate the token presented by the admin browser.
2. Kiosk Browser – Initial Registration
• When the kiosk browser starts, it makes a request to your server’s registration endpoint.
• The server generates a unique token and sets a cookie in the kiosk browser’s response. This cookie should have a secure flag (HTTPS only) and an appropriate expiry time.

app.get('/kiosk/register', (req, res) => {
  const token = uuidv4(); // Generate a unique token
  res.cookie('kiosk_token', token, { secure: true, httpOnly: true });
  res.json({ success: true, token });
});

• The cookie name (e.g., kiosk_token) is important and will be used later for validation.
3. Admin Browser – Authentication Request
• In the admin browser, provide a form or interface where an administrator can initiate authentication against a specific kiosk.
• When the admin requests to authenticate, they need to know the kiosk’s identifier (if any).
• The admin browser sends a request to your server’s validation endpoint, including the kiosk identifier and potentially other verification data.
4. Server-Side Validation
• On the validation endpoint, retrieve the kiosk_token cookie from the admin browser’s request.
• Check if a matching token exists in your server’s storage for the specified kiosk identifier.
• If the token matches and is valid (not expired), consider the authentication successful. Return a success response to the admin browser.

app.get('/admin/validate/:kioskId', (req, res) => {
  const { kioskId } = req.params;
  const tokenFromAdminCookie = req.cookies.kiosk_token;

  // Retrieve the expected token from your database based on kioskId.
  const expectedToken = getKioskToken(kioskId);

  if (tokenFromAdminCookie === expectedToken) {
    res.json({ success: true, message: 'Authentication successful' });
  } else {
    res.status(401).json({ success: false, message: 'Invalid token' });
  }
});

5. Security Considerations
• HTTPS is essential: Always use HTTPS to protect the cookie from interception. The secure: true flag in the cookie settings enforces this.
• HttpOnly Flag: Set the httpOnly: true flag on the cookie to prevent client-side JavaScript access, mitigating XSS attacks.
• Cookie Expiry: Set a reasonable expiry time for the cookie. Shorter expiry times are more secure but require more frequent re-authentication.
• Token Generation: Use strong random token generation (e.g., UUIDs).
• Kiosk Identifier Security: Ensure the kiosk identifier is not easily guessable or manipulatable.
• Input Validation: Validate all input data on the server-side to prevent injection attacks.