Plugin to decrypt URL parameters / prefilled answers

7 years 10 months ago #102397 by Spydre13
I've been looking for a while for a way to prefill answers without the answers being sent in cleartext and stored in the browser history. I think when using HTTPS the parameters will be encrypted, but they are still stored in the browser history on the URL.

With the new plugin architecture in 2.05, is it possible to create a plugin that takes an encrypted parameter, decrypts it, and sets the parameters/prefilled answers based on that? I already have the functions to encrypt/decrypt the text, so I just need to know if it's possible to accomplish this with a plugin and have someone point me in the right direction.

I would also send an "expires" parameter, which would get decrypted and the plugin would verify if the link is still valid. That way I can set each link to expire in a set amount of time from when it was generated.

I would be willing to pay/donate for help with this solution.

The topic has been locked.
7 years 10 months ago #102427 by sammousa
Hi Nate,

This sounds like a great idea for a plugin!

The procedure to create such a plugin would be simple:
- Check if an appropriate event exists (ie. beforeSurveyStart), that allows you to edit the response.

- If not, go to the bugtracker and request the event, provide as much detail as possible, tell us what it should do and what you plan to use it for (this forum post is a good start =)

- Create a plugin based on one of our example plugin(s) that registers for the appropriate events and decrypts the data sent in the requests and applies it to the current response.

As far as I know we don't have the appropriate event yet, however adding events is a trivial task and definitely something we are open to.

I am wondering though, is your goal to prevent changing the values or to prevent reading the values?
If you just want to prevent users changing the values you can always add a hash parameter and hash the URL combined with a secret key. That way any change in the URL will invalidate it. It will not however protect the values passed from being discovered by the user.
The topic has been locked.
7 years 10 months ago #102433 by Spydre13

Could you elaborate on what the beforeSurveyStart event currently does, or is there a place I haven't found that explains it better? I will take a look at the example plugins in 2.05RC7 and see if I can get started.

My goal is to be able to pass information in securely (encrypted on the URL, and therefore in browser history) and prevent someone who discovers the URL at a later date (from browser history or e-mail) from re-entering the survey and viewing answers whether it is complete or incomplete.

What I am currently doing with version 1.91+ is similar to what you suggested. I'm taking the prefill parameters, adding a URL expiration date/time, and encrypting it. However, I would like LimeSurvey to decrypt this information directly instead of my external script, because right now the external script still has to redirect the users to the limesurvey site with the parameters un-encrypted.

The topic has been locked.
7 years 10 months ago #102442 by sammousa
If you just want to make sure they cant get back into the survey after completion, that option is already available.

Anyway, the beforeSurveyStart event does not exist yet; but you can request it via the bugtracker!
The topic has been locked.
7 years 9 months ago #102747 by DenisChenu

I think this one : (beforeSurveyPage) can do the trick.

Think you can use somethnig like that:
(test if encrypted is set, and maybe if you are are the first step.)


Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.
The topic has been locked.

Start now!

Just create your account and start using Limesurvey today.

Register now