Problem with CheckToken function

Recommend this page to a friend!

      multiOTP PHP class  >  All threads  >  Problem with CheckToken function  >  (Un) Subscribe thread alerts  
Subject:Problem with CheckToken function
Summary:multiotp accept expired TOTP
Messages:2
Author:Duc Max
Date:2014-05-07 08:07:44
 

  1. Problem with CheckToken function   Reply   Report abuse  
Picture of Duc Max Duc Max - 2014-05-07 08:07:44
Hi everyone,
I am building a php website login with Feitian C200 TOTP token device. I synchronized the token successful. And after that, I used function CheckToken to check the next login of user, but i have a problem that the password generate by C200 token had expired (disappear from token's screen) but it still accept the password and user can login.
This is my test code:
$seed_code = 'C80715A87EA7C9D9B2856XXXXXXXXXXX';
$serial = "260033XXXXXX";
$user = "test";
if($multiotp->CheckUserExists($user)) {
echo "user already exits".$crlf;
$multiotp->SetUser($user);
$token_detail_time = (int) $multiotp->GetUserTokenDeltaTime();
echo "token_detail_time: ";var_dump($token_detail_time); echo $crlf;
$token_1 = (int) $_GET['token1'];
var_dump($token_1);
if (0 == ($error = $multiotp->CheckToken($token_1)))
{
echo "- ".$ok_on.'OK!'.$ok_off." Token of the user ".$user." successfully accepted".$crlf;

}
else
{
echo "- ".$ko_on.'KO!'.$ko_off." Error authenticating the user ".$user." with the first token".$crlf;
}
} else {
echo "user does not exits".$crlf;
if($multiotp->CheckTokenExists($serial)) {
echo "token already exits".$crlf;
if (!$multiotp->CreateUserFromToken($user, $serial))
{
echo "- ".$ko_on.'KO!'.$ko_off." Token ".$serial." doesn't exist".$crlf;
}
else
{
echo "- ".$ok_on.'OK!'.$ok_off." User ".$user." successfully created with token ".$serial."".$crlf;
$multiotp->SetUser($user);
$multiotp->SetUserPrefixPin(0);
$multiotp->WriteUserData();
$token_1 = (int) $_GET['token1'];
$token_2 = (int) $_GET['token2'];
if (14 == ($error = $multiotp->CheckToken($token_1, $token_2, (!$browser_mode))))
{
echo "- ".$ok_on.'OK!'.$ok_off." Token of the user ".$user." successfully resynchronized".$crlf;
}
else
{
echo "- ".$ko_on.'KO!'.$ko_off." Token of the user ".$user." NOT resynchronized".$crlf;
}
}
} else {
echo "token does not exits".$crlf;
if ($multiotp->CreateToken($serial, 'TOTP', $seed_code, 6, 60))
{
echo "- ".$ok_on.'OK!'.$ok_off." Token ".$serial." successfully created".$crlf;
if (!$multiotp->CreateUserFromToken($user, $serial))
{
echo "- ".$ko_on.'KO!'.$ko_off." Token ".$serial." doesn't exist".$crlf;

}
else
{
echo "- ".$ok_on.'OK!'.$ok_off." User ".$user." successfully created with token ".$serial."".$crlf;
$multiotp->SetUser($user);
$multiotp->SetUserPrefixPin(0);
$multiotp->WriteUserData();
$token_1 = (int) $_GET['token1'];
$token_2 = (int) $_GET['token2'];
if (14 == ($error = $multiotp->CheckToken($token_1, $token_2, (!$browser_mode))))
{
echo "- ".$ok_on.'OK!'.$ok_off." Token of the user ".$user." successfully resynchronized".$crlf;
}
else
{
echo "- ".$ko_on.'KO!'.$ko_off." Token of the user ".$user." NOT resynchronized".$crlf;
}
}
}
else
{
echo "- ".$ko_on.'KO!'.$ko_off." Creation of ".$serial." token failed".$crlf;
}
}
}
All i want that when the password disappear from the token's screen, user can not login to my website.
Someone help me.
Thanks so much.

  2. Re: Problem with CheckToken function   Reply   Report abuse  
Picture of André Liechti André Liechti - 2014-12-24 14:37:39 - In reply to message 1 from Duc Max
Hello,

Sorry for the late reply. This is the normal feature. A time-based one time password must have a window in which the token is authorized, because it is not possible to have the realtime clock of the token exactly synchonized with the realtime clock of the server.

But multiOTP calculate the difference and automatically adjust the delta time, so if you want to have a shorter window, do a first authentication (which will calculate the delta time for the specific token), and then you can reduce the size of the authorized window.

But in any cases, you will not be able to refuse a token just the second after the token change the display, and this is not the goal of the OTP.

Best regards,

Andre

 

For more information send a message to info at phpclasses dot org.