1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Better customer verification tokens

Discussion in 'General XenForo Discussion and Feedback' started by Kent, May 26, 2013.

  1. Kent

    Kent Active Member

    The customer verification requires only a token and optionally a domain.
    It's up to whoever is asking for the token to keep it safe and check the domain by having a unique file uploaded. This may not always happen.

    If tokens are instead generated using a secret salt and a message they could become purposeful tokens.

    $purposefulToken = md5($salt . $message);
    $salt is retrieved from the server using the associated license ID/token which is then hashed with a $message. This creates a token which the server can re-generate without having to store the $message. The $purposefulToken is given to the customer along with their license ID/token.

    The $message can be something like... "XenForo license verification for XenForo forum user SomeDeveloper on 26 May 2013. Not intended for any other purpose."
    The developer can additionally request that a message of their own is appended in case the $message is too generic to trust.

    It's worth noting that given an output, the $salt could be brute forced if it is not long enough or random enough.
  2. Slavik

    Slavik XenForo Moderator Staff Member

    What purpose does having a custom message provide?

    It is for this very reason the current token system is done as it is done, the variables going into creating the tokens are 100% random, so there is no possibility of bruteforcing them.
  3. Kent

    Kent Active Member

    It prevents malicious reuse of tokens, as the message must also be provided with the token to validate it.
    It is highly unlikely that one would successfully brute force a good $salt within our sun's lifetime.
  4. Biker

    Biker Well-Known Member

    You're also overlooking the point that a token can be generated at any time, thereby invalidating the previous token.
  5. Kent

    Kent Active Member

    That doesn't prevent the token being misused while it is valid, and a developer may request that the token remain valid for extended periods for their convenience.
  6. Biker

    Biker Well-Known Member

    Tokens aren't meant to be used as a constant verification and should never be used as such. Considering the length and randomness of the token, creating a salt hash is overkill for the designed purpose of the token itself.
    Andrej likes this.
  7. Brogan

    Brogan XenForo Moderator Staff Member

    Not a suggestion for the software so moved to feedback.
  8. Slavik

    Slavik XenForo Moderator Staff Member

    I honestly don't see what this achieves sorry.
  9. Kent

    Kent Active Member

    • Generate as many tokens for as many people as desired
    • Tokens do not need to be secret, no need to re-generate
    • Tokens cannot be misused for other purposes
    • No need to have a file uploaded to the associated domain, faster confirmation with less hassle
    • Developers can implement custom verification methods by requesting a specific string be included with the message
  10. Slavik

    Slavik XenForo Moderator Staff Member

    1. Tokens can be re-generated many times as is.
    2. You don't need to ever re-generate a token if you don't want to. The re-generation is there for that exact reason to prevent miss use.
    3. Does no point 2 negate the point of this one?
    4. You don't need to upload a file as is?
    5. The system isn't designed to be used as a crude type of "DRM" of continuous validation.
  11. Kent

    Kent Active Member

    Multiple tokens can be generated for different purposes at the same time without invalidating previous tokens. None of the information needs to be stored as the server can re-generate it on its own later.
    When sending your token/domain to anyone, you're fully trusting them not to misuse that information before replying that they have confirmed it so you can generate a new token.
    Uploading a file is required to confirm that the person you're speaking to is in fact the owner of the site which the license is associated with. The token and domain alone aren't enough because more than just the owner will know this information.
  12. Sheldon

    Sheldon Well-Known Member


    Who is going to figure out my domain and token?
  13. Adam Howard

    Adam Howard Well-Known Member

    The tokens sometimes do repeat


    These are tokens which I generated one after the other.

    They're not as random as you would believe.

    Attached is me doing it again, but with a clock to show the difference in time.

    To repeat this process, don't simply click on "generate token" or "cancel". Simply click somewhere else on screen to dismiss the overlay. You'll get a mix of new and re-used tokens.

    There is a weakness in your token system

    (quick, someone find DRE so he can quote me as being, right again :p )

    Attached Files:

    • 1.png
      File size:
      543.3 KB
    • 2.png
      File size:
      543.3 KB
    • 3.png
      File size:
      543.7 KB
    • 4.png
      File size:
      543.7 KB
  14. Slavik

    Slavik XenForo Moderator Staff Member

    SneakyDave likes this.
  15. Kent

    Kent Active Member

    Anyone you send it to for validation, and anyone who has access to the medium in which it is sent, not limited to the intended recipient. The token can be misused during this time until it is re-generated.

    @Adam Howard
    Uh, that is an unexpected development. Wonder what is being used to generate it.
    Nevermind, misread.
  16. Shelley

    Shelley Well-Known Member

    Since I generated a token the other day to download an add-on I'll ask anyway. What is the flaw in the token system? Once you generate you pass it to add-on maker to get your download and re-generate to null the previous token you sent to the add-on maker. Care to explain further? My understanding is the token is useless and won't return me as the one generating the token right?
  17. Adam Howard

    Adam Howard Well-Known Member

    I would argue the fail is yours.


    ^ Every time you click that link, you should get a new token (according to Mike). That's not the case.
  18. Adam Howard

    Adam Howard Well-Known Member

    Short answer:

    If the tokens repeat, they're not exactly useless once used.
  19. Slavik

    Slavik XenForo Moderator Staff Member

    Everytime you click that link, it will open an overlay to show you the last generated token.

    It will show you the same token every time, until such time as you re-generate it clicking the regenerate token button.
  20. Mike

    Mike XenForo Developer Staff Member

    I never said that.
    SneakyDave and Andrej like this.

Share This Page