Your LimeSurvey version: 6.6.2
Own server or LimeSurvey hosting: own
================='m having a problem with the {TOKEN} parameter in LimeSurvey 6.6.2's End URL. On the final page, I want to include a link to an external site with these parameters: var1={SAVEDID}&var2={TOKEN}&var3={SID}&lang={LANG}All work except {TOKEN}, which returns empty. Survey responses are saved and viewable, with Tokens generated for each completion. The survey doesn't require registration. Why is {TOKEN} empty? I need it for an external program to securely retrieve survey responses and generate certificates. {SAVEDID} works but is sequential and easily guessable, while {TOKEN} is a large random number, offering better security.

raptyk wrote:

... with Tokens generated for each completion. The survey doesn't require registration.

How are the tokens "generated"? Typically, if no registration is required, you would need to create the participants (token) table.

- www.limesurvey.org/manual/Survey_partici...y_participants_table

It's possible that I misunderstood how tokens work. The survey is anonymous and open to everyone. It does not generate access keys for participants. I noticed that after completing the survey, an ID (a consecutive number like 1, 2, 3, etc.) appears for each entry in the table of completed surveys, along with a token that seems to be a random value (e.g., 4628437). I wanted to send this unique value in the "end URL," but as I mentioned earlier, only the ID is transmitted, while the token remains empty.It seems as if with open surveys (without an invitation code, without a participant table), there is a small error in the process, as the token appears to be generated after the redirection to the end URL. The random token is recorded in the results table but is not available during the redirection. Am I right? Can I report this as a bug? 

Hi,
sorry, but where do you see a token in the response table? (in an open survey)
I see this
 

Joffm

Thank you for the quick response. I already suspect that my issue lies in understanding the difference between a seed and a token.I was convinced that the value marked in the screenshot was the equivalent of a token. It’s good that you asked where I saw the token in the table—this clears everything up...



So let me ask, is the "seed" unique? Is there any way I can pass its value in the end URL and then use the LimeSurvey API to retrieve the responses?

My process looks like this:

• An external, anonymous user fills out the survey (including sensitive data).
• The survey is saved in LimeSurvey, and in the "end URL," I send a request with data to an external custom application issuing a certificate, e.g., [url=https://www.myCustomApp.pl?id=999]www.myCustomApp.pl?id=999[/url]
• The external application connects to the LimeSurvey API and retrieves the survey responses based on the identifier.

The redirection to [url=https://www.myCustomApp.pl?id=999]www.myCustomApp.pl?id=999[/url] seems unsafe to me because a user, after discovering that the ID is incremental, could manipulate the link and read data or generate a certificate with another user's data.I'm doing all this to avoid using a simple ID, which in my opinion is risky and allows unauthorized users to read other survey responses after discovering that ID values are incremental. Is it possible to use something else instead of this ID (and no longer the "token" -> thanks again!) but, for example, a "seed" or another unique identifier?

Additionally, could I simplify this process or use another built-in mechanism in LimeSurvey, such as passing all the survey responses in the "end URL" (POST/XML/JSON?), which would allow me to skip fetching data via the API?

The seed is used for encrypting data. I don't believe it is available via an ExpressionScript variable.

I suggest storing your own random number in a hidden equation type question. Maybe by appending one or more random numbers to the {SAVEDID}.

tpartner wrote:

The seed is used for encrypting data. I don't believe it is available via an ExpressionScript variable.

Thank you for explanation.

I suggest storing your own random number in a hidden equation type question. Maybe by appending one or more random numbers to the {SAVEDID}.

Interesting idea! I’ve read through the documentation, and indeed, aside from the basic parameters in the "end URL" ({SAVEDID}, {TOKEN}, {SID}, and {LANG}), it’s also possible to use fields from the survey, and even expressions that could dynamically calculate the "encrypted" ID value.

I just hope that the value from {SAVEDID} will already be available at this stage, meaning that the URL generation happens after the {SAVEDID} is saved and generated.

Once again, thank you for the answers!

[url] www.limesurvey.org/manual/URL_fields [/url]

raptyk wrote:

I just hope that the value from {SAVEDID} will already be available at this stage, meaning that the URL generation happens after the {SAVEDID} is saved and generated

The SAVEDID is generated after the submission of the first survey page/group. Insert your equation question after that.

tpartner wrote:

The seed is used for encrypting data. I don't believe it is available via an ExpressionScript variable.
 

It was if you activate a new plugin
www.limesurvey.org/manual/ExpressionFixedDbVar

(but it's NOT a unique ID, only a random number).