To prevent link tampering, we suggest using the built in MD5 Hash feature. MD5 is an encrypted code based on the survey id, identifier, and a custom text that is added as an extra parameter to the end of the survey access URL. If respondents try and change any information in the link it will become invalid and not allow them access into the survey. They will see the "Invalid survey invitation" system info page.
MD5 is only used to make the survey access URLs more secure. If you are interested in data encryption you may want to consider purchasing an SSL license, which your account manager can assist you with.
Example link containing MD5
1: MD5 Hash for Survey
From the Survey Properties, make sure "Secure Invitation (Identifier verified by MD5 hash)" is checked under Allowed survey access methods. The field below, "Secret MD5 hash salt", is where you define a custom text string to use. This text is not displayed in the link but is used in conjunction with the survey id and identifier for generating the unique hash code. Use a hash salt that respondents could not easily guess for maximum security (i.e. alphanumeric, multi-case and special characters.)
NOTICE: Kinesis Survey invitation system already uses a verification code appended to links for added security. If sending invites directly from the survey install, MD5 will not be necessary. If sending invites through a third-party sample provider, their invitation system will need to be able to handle generating the MD5 hash code to use this feature.
2: MD5 Hash For Panel Projects
When using Kinesis Panel to send invites, MD5 must be configured in both the survey settings AND the project settings. The md5 hash code must be the same for both. When "MD5 Algorithm" is selected you will notice that "&hash=[hash]" automatically gets appended to the Survey URL. Do not remove or modify this added parameter.
You may notice that SHA-1 is also listed as an option under Use hash verification. SHA-1 is a similar type of hash security that is not built into Kinesis Survey. This may be used if your panel is linked to a non-Kinesis survey install that is compatible with SHA-1.
3: MD5 Hash for Exit Links
Termination links can be secured from tampering by using the hash verification setting. Choose the hash algorithm you would like to use. The survey application must have support for adding the hash verification at the end of the termination URLs. This is not automatically built-in to Kinesis Survey, but can be generated with computational logic.
3.1: MD5 Hash Exit Links in Panel
This feature is applied by choosing "MD5 Algorithm" from the provided pulldown within the Rewards and termination links section of the project details (see screenshot below). Notice that this will automatically update the termination URLs to append "&hash=[hash]".
3.2: MD5 Hash Exit Links in Survey
The MD5 hash code for exit links is generated based on the following parameters:
"sesskey=" + [sesskey] + "&status=" + [status] + [hash salt]
The elements in brackets above must pipe in the corresponding values based upon the current session. The "hash salt" should be the same one used for incoming links setup in previous sections. You will need three separate hidden computational questions for generating each unique status hash code. All will use the template logic below, with the "&status=1" text updated accordingly. Example computational logic, which only accounts for a Completed URL:
# Secret Hash salt (as specified in the project properties in Kinesis Panel) $USER_salt = "HaShCoDe^123"; # Builds URI string from session key and status value $USER_uri = "sesskey=".$IN_sesskey."&status=1"; # Calculates MD5 hash based on concatenated Salt and URI $USER_md5 = md5($USER_uri.$USER_salt); # Returns MD5 hash return $USER_md5;
The hash code generated in this computational question can then be passed into the survey exit link URL by referencing the question label. For example:
- Completed URL: http://web5.kinesissurvey.com/suppor...&hash=[Qhash1]