|
|
 Duc Max - 2014-05-07 08:07:44 Hi everyone,
I am building a php website login with Feitian C200 TOTP token device. I synchronized the token successful. And after that, I used function CheckToken to check the next login of user, but i have a problem that the password generate by C200 token had expired (disappear from token's screen) but it still accept the password and user can login.
This is my test code:
$seed_code = 'C80715A87EA7C9D9B2856XXXXXXXXXXX';
$serial = "260033XXXXXX";
$user = "test";
if($multiotp->CheckUserExists($user)) {
echo "user already exits".$crlf;
$multiotp->SetUser($user);
$token_detail_time = (int) $multiotp->GetUserTokenDeltaTime();
echo "token_detail_time: ";var_dump($token_detail_time); echo $crlf;
$token_1 = (int) $_GET['token1'];
var_dump($token_1);
if (0 == ($error = $multiotp->CheckToken($token_1)))
{
echo "- ".$ok_on.'OK!'.$ok_off." Token of the user ".$user." successfully accepted".$crlf;
}
else
{
echo "- ".$ko_on.'KO!'.$ko_off." Error authenticating the user ".$user." with the first token".$crlf;
}
} else {
echo "user does not exits".$crlf;
if($multiotp->CheckTokenExists($serial)) {
echo "token already exits".$crlf;
if (!$multiotp->CreateUserFromToken($user, $serial))
{
echo "- ".$ko_on.'KO!'.$ko_off." Token ".$serial." doesn't exist".$crlf;
}
else
{
echo "- ".$ok_on.'OK!'.$ok_off." User ".$user." successfully created with token ".$serial."".$crlf;
$multiotp->SetUser($user);
$multiotp->SetUserPrefixPin(0);
$multiotp->WriteUserData();
$token_1 = (int) $_GET['token1'];
$token_2 = (int) $_GET['token2'];
if (14 == ($error = $multiotp->CheckToken($token_1, $token_2, (!$browser_mode))))
{
echo "- ".$ok_on.'OK!'.$ok_off." Token of the user ".$user." successfully resynchronized".$crlf;
}
else
{
echo "- ".$ko_on.'KO!'.$ko_off." Token of the user ".$user." NOT resynchronized".$crlf;
}
}
} else {
echo "token does not exits".$crlf;
if ($multiotp->CreateToken($serial, 'TOTP', $seed_code, 6, 60))
{
echo "- ".$ok_on.'OK!'.$ok_off." Token ".$serial." successfully created".$crlf;
if (!$multiotp->CreateUserFromToken($user, $serial))
{
echo "- ".$ko_on.'KO!'.$ko_off." Token ".$serial." doesn't exist".$crlf;
}
else
{
echo "- ".$ok_on.'OK!'.$ok_off." User ".$user." successfully created with token ".$serial."".$crlf;
$multiotp->SetUser($user);
$multiotp->SetUserPrefixPin(0);
$multiotp->WriteUserData();
$token_1 = (int) $_GET['token1'];
$token_2 = (int) $_GET['token2'];
if (14 == ($error = $multiotp->CheckToken($token_1, $token_2, (!$browser_mode))))
{
echo "- ".$ok_on.'OK!'.$ok_off." Token of the user ".$user." successfully resynchronized".$crlf;
}
else
{
echo "- ".$ko_on.'KO!'.$ko_off." Token of the user ".$user." NOT resynchronized".$crlf;
}
}
}
else
{
echo "- ".$ko_on.'KO!'.$ko_off." Creation of ".$serial." token failed".$crlf;
}
}
}
All i want that when the password disappear from the token's screen, user can not login to my website.
Someone help me.
Thanks so much.
 André Liechti - 2014-12-24 14:37:39 - In reply to message 1 from Duc MaxHello,
Sorry for the late reply. This is the normal feature. A time-based one time password must have a window in which the token is authorized, because it is not possible to have the realtime clock of the token exactly synchonized with the realtime clock of the server.
But multiOTP calculate the difference and automatically adjust the delta time, so if you want to have a shorter window, do a first authentication (which will calculate the delta time for the specific token), and then you can reduce the size of the authorized window.
But in any cases, you will not be able to refuse a token just the second after the token change the display, and this is not the goal of the OTP.
Best regards,
Andre
|
