If your website shows the chatbox for authenticated users only - in other words: users for which you have an internal identification value, such as an user ID, an email or a token - you may want to ensure that the Crisp chat session associated to that user stays the same, whatever the device he is on and whether your user clears his cookies or not. This ensures you get chats from the same user in the same Crisp session.

You can do so using Crisp Tokens. A token is a private and secure arbitrary value that is known to your system, and sent when you inject Crisp in the page. Each user must be associated to a different token.

How To Associate A Session To A Token?

Sessions can be associated to tokens, or restored from tokens, using the CRISP_TOKEN_ID variable.

You can use the following Crisp chatbox code (fill CRISP_TOKEN_ID with your secure user token ID, and CRISP_WEBSITE_ID with your Website ID):

<script type="text/javascript">
$crisp = [];
CRISP_TOKEN_ID = 'UserSecureTokenFromMyWebsite';

Please note that:

Tokens can only be passed on chatbox code injection, and not after.
When you test this code, ensure you don't have any Crisp session cookie left, as tokens are associated to sessions only for new sessions (that is, sessions not restored from a cookie). You can clear your Crisp session cookie using $crisp.do("session:reset").

Once you are done, ensure you follow our security best practices by reading the sections on security below.

Important Notes On Security

Please read everything that follows before implementing CRISP_TOKEN_ID on your website.

Because Crisp puts a strong emphasis on security, we do not allow sessions to be restored / merged when the user fills his email in the chatbox, after he sent his first message.

The reason is the following: some of your users may send sensitive information on your chat. They may have an email address known to some attackers. A very simple attack would then be possible to recover the user chat session: start a new chat session and fill the email field using the attacked user email address. Then, see all past messages from the attacked user. Of course, this type of attack is not possible with Crisp (this was an example).

However, if you use an unsecure identification token, such as an email address - in other words, a token which can be known from unauthenticated users - the attack described above is still possible. For instance, if you set CRISP_TOKEN_ID to the user's email address (which is then a value that can be known to an attacker), then the attacker can recover any previous chat session with the attacked user by setting the CRISP_TOKEN_ID value to the email he wants to target.

Crisp declines all responsibility for unsecure implementations of this feature. You have to ensure that the tokens you associate to sessions are secure and only known to an authenticated user.
Was this article helpful?
Thank you!