Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Issue with {TOKEN} parameter in end url

  • raptyk
  • raptyk's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
1 week 6 days ago #266923 by raptyk
Your LimeSurvey version: 6.6.2
Own server or LimeSurvey hosting: own
==================I'm having a problem with the {TOKEN} parameter in LimeSurvey 6.6.2's End URL. On the final page, I want to include a link to an external site with these parameters: var1={SAVEDID}&var2={TOKEN}&var3={SID}&lang={LANG}All work except {TOKEN}, which returns empty. Survey responses are saved and viewable, with Tokens generated for each completion. The survey doesn't require registration. Why is {TOKEN} empty? I need it for an external program to securely retrieve survey responses and generate certificates. {SAVEDID} works but is sequential and easily guessable, while {TOKEN} is a large random number, offering better security.

Please Log in to join the conversation.

  • tpartner
  • tpartner's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
1 week 5 days ago #266933 by tpartner
Replied by tpartner on topic Issue with {TOKEN} parameter in end url

... with Tokens generated for each completion. The survey doesn't require registration.
How are the tokens "generated"? Typically, if no registration is required, you would need to create the participants (token) table.

- manual.limesurvey.org/Survey_participant...y_participants_table

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.

Please Log in to join the conversation.

  • raptyk
  • raptyk's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
1 week 5 days ago #266937 by raptyk
Replied by raptyk on topic Issue with {TOKEN} parameter in end url
It's possible that I misunderstood how tokens work. The survey is anonymous and open to everyone. It does not generate access keys for participants. I noticed that after completing the survey, an ID (a consecutive number like 1, 2, 3, etc.) appears for each entry in the table of completed surveys, along with a token that seems to be a random value (e.g., 4628437). I wanted to send this unique value in the "end URL," but as I mentioned earlier, only the ID is transmitted, while the token remains empty.It seems as if with open surveys (without an invitation code, without a participant table), there is a small error in the process, as the token appears to be generated after the redirection to the end URL. The random token is recorded in the results table but is not available during the redirection. Am I right? Can I report this as a bug? 

Please Log in to join the conversation.

  • Joffm
  • Joffm's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
1 week 5 days ago #266938 by Joffm
Replied by Joffm on topic Issue with {TOKEN} parameter in end url
Hi,
sorry, but where do you see a token in the response table? (in an open survey)
I see this
 

Joffm

Volunteers are not paid.
Not because they are worthless, but because they are priceless

Please Log in to join the conversation.

  • raptyk
  • raptyk's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
1 week 5 days ago - 1 week 5 days ago #266939 by raptyk
Replied by raptyk on topic Issue with {TOKEN} parameter in end url
Thank you for the quick response. I already suspect that my issue lies in understanding the difference between a seed and a token.I was convinced that the value marked in the screenshot was the equivalent of a token. It’s good that you asked where I saw the token in the table—this clears everything up...



So let me ask, is the "seed" unique? Is there any way I can pass its value in the end URL and then use the LimeSurvey API to retrieve the responses?

My process looks like this:
  • An external, anonymous user fills out the survey (including sensitive data).
  • The survey is saved in LimeSurvey, and in the "end URL," I send a request with data to an external custom application issuing a certificate, e.g., [url=http://www.myCustomApp.pl?id=999]www.myCustomApp.pl?id=999[/url]
  • The external application connects to the LimeSurvey API and retrieves the survey responses based on the identifier.
The redirection to [url=http://www.myCustomApp.pl?id=999]www.myCustomApp.pl?id=999[/url] seems unsafe to me because a user, after discovering that the ID is incremental, could manipulate the link and read data or generate a certificate with another user's data.I'm doing all this to avoid using a simple ID, which in my opinion is risky and allows unauthorized users to read other survey responses after discovering that ID values are incremental. Is it possible to use something else instead of this ID (and no longer the "token" ;) -> thanks again!) but, for example, a "seed" or another unique identifier?

Additionally, could I simplify this process or use another built-in mechanism in LimeSurvey, such as passing all the survey responses in the "end URL" (POST/XML/JSON?), which would allow me to skip fetching data via the API?
Last edit: 1 week 5 days ago by raptyk.

Please Log in to join the conversation.

  • tpartner
  • tpartner's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
1 week 4 days ago #266940 by tpartner
Replied by tpartner on topic Issue with {TOKEN} parameter in end url
The seed is used for encrypting data. I don't believe it is available via an ExpressionScript variable.

I suggest storing your own random number in a hidden equation type question. Maybe by appending one or more random numbers to the {SAVEDID}.

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The following user(s) said Thank You: DenisChenu

Please Log in to join the conversation.

  • raptyk
  • raptyk's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
1 week 4 days ago #266941 by raptyk
Replied by raptyk on topic Issue with {TOKEN} parameter in end url

The seed is used for encrypting data. I don't believe it is available via an ExpressionScript variable.
Thank you for explanation.

I suggest storing your own random number in a hidden equation type question. Maybe by appending one or more random numbers to the {SAVEDID}.

Interesting idea! I’ve read through the documentation, and indeed, aside from the basic parameters in the "end URL" ({SAVEDID}, {TOKEN}, {SID}, and {LANG}), it’s also possible to use fields from the survey, and even expressions that could dynamically calculate the "encrypted" ID value.

I just hope that the value from {SAVEDID} will already be available at this stage, meaning that the URL generation happens after the {SAVEDID} is saved and generated.

Once again, thank you for the answers!

[url] manual.limesurvey.org/URL_fields [/url]

Please Log in to join the conversation.

  • tpartner
  • tpartner's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
1 week 4 days ago #266942 by tpartner
Replied by tpartner on topic Issue with {TOKEN} parameter in end url

I just hope that the value from {SAVEDID} will already be available at this stage, meaning that the URL generation happens after the {SAVEDID} is saved and generated
The SAVEDID is generated after the submission of the first survey page/group. Insert your equation question after that.

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The following user(s) said Thank You: raptyk

Please Log in to join the conversation.

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team & Official Partner
  • LimeSurvey Community Team & Official Partner
More
1 week 3 days ago #266951 by DenisChenu
Replied by DenisChenu on topic Issue with {TOKEN} parameter in end url

The seed is used for encrypting data. I don't believe it is available via an ExpressionScript variable.
 
It was if you activate a new plugin ;)
manual.limesurvey.org/ExpressionFixedDbVar

(but it's NOT a unique ID, only a random number).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
The following user(s) said Thank You: raptyk

Please Log in to join the conversation.

Moderators: tpartnerholch

Lime-years ahead

Online-surveys for every purse and purpose