warning about offsiting the qrcode generation...

[ga4php.git] / doco / readme.txt

diff --git a/doco/readme.txt b/doco/readme.txt
index 1ab3a1e..54c6912 100644 (file)
--- a/doco/readme.txt
+++ b/doco/readme.txt
@@ -21,6 +21,18 @@ codes. But looking at the App's available for smartphones
 that fullfilled some realistic criteria - easy to use, easy to
 provision.
 
+READ THIS BIT
+=============
+
+in the example page, i send a url off to google charts to create
+the QRCode. NEVER EVER EVER EVER EVER do this. I do it cause for
+the example it doesnt matter, and if i find a better way of doing
+it i'll do it. BUT creating a qrcode on a page aint terribly easy.
+The point is, that QR code is a URL containing the tokens SECRET
+KEY and should remain secret. You can generate qrcodes anyway you
+like, BUT MAKE SURE ITS SECURE (i.e. never save them on the FS,
+and send them all over ssl).
+
 
 How?
 ====
@@ -42,4 +54,13 @@ hex, this I do by converting to binary first... Lets how thats
 going to work in the long run. The sad thing is is that if I
 were writing it in C/C++/etc, bit math is easy and while im sure
 its not too different in PHP, I've never done it, so this seeemed
-easier.   
\ No newline at end of file
+easier.   
+
+
+Acknowledgements
+================
+
+Google, for producing google authenticator
+The guys at mOTP who got me all excited about token authenticators
+The guys on this page who spell out how to do hotp
+       http://php.net/manual/en/function.hash-hmac.php
\ No newline at end of file