If your website shows the chatbox for authenticated users only - in other words: users for which you have an internal identification value, such as an user ID, an email or a token - you may want to ensure that the Crisp chat session associated to that user stays the same, whatever the device he is on and whether your user clears his cookies or not. This ensures you get chats from the same user in the same Crisp session.
You can do so using Crisp Tokens. A token is a private and secure arbitrary value that is known to your system, and sent when you inject Crisp in the page. Each user must be associated to a different token.
Sessions can be associated to tokens, or restored from tokens, using the
You can use the following Crisp chatbox code (fill
CRISP_TOKEN_ID with your secure user token ID, and
CRISP_WEBSITE_ID with your Website ID):
Please note that:
Once you are done, ensure you follow our security best practices by reading the sections on security below.
Please read everything that follows before implementing
CRISP_TOKEN_ID on your website.
Because Crisp puts a strong emphasis on security, we do not allow sessions to be restored / merged when the user fills his email in the chatbox, after he sent his first message.
The reason is the following: some of your users may send sensitive information on your chat. They may have an email address known to some attackers. A very simple attack would then be possible to recover the user chat session: start a new chat session and fill the email field using the attacked user email address. Then, see all past messages from the attacked user. Of course, this type of attack is not possible with Crisp (this was an example).
However, if you use an unsecure identification token, such as an email address - in other words, a token which can be known from unauthenticated users - the attack described above is still possible. For instance, if you set
CRISP_TOKEN_ID to the user's email address (which is then a value that can be known to an attacker), then the attacker can recover any previous chat session with the attacked user by setting the
CRISP_TOKEN_ID value to the email he wants to target.
Crisp declines all responsibility for unsecure implementations of this feature. You have to ensure that the tokens you associate to sessions are secure and only known to an authenticated user.
Ask your own question.Ask Now