API talk:Tokens

Latest comment: 9 years ago by RobinHood70 in topic Token Lifespan

I only get '+\' as an csrf-token

edit

Please, can somebody help me?--Mischa004 (talk) 18:14, 16 February 2015 (UTC)Reply

My PHP-code:

$parameters = array('action' => 'query', 'meta' => 'tokens', 'format' => 'json');
$options = array(
   'http' => array(
      'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
      'method'  => 'POST',
      'content' => http_build_query($parameters),
    ),
);
$context  = stream_context_create($options);
$result = file_get_contents($wiki, false, $context);
echo "$result";
That's how the token currently looks what you're not logged in (although there are plans to use real token for anonymous users too). Nothing to worry about. Matma Rex (talk) 20:19, 16 February 2015 (UTC)Reply
Thank you! In fact, I really want to have a token to edit as a registered user. Before obtaining the token as shown above I login with this PHP-code:
$parameters = array('action' => 'login', 'lgname' => 'mischa', 'lgpassword' => 'PASSWORD', 'format' => 'json');
$options = array(
   'http' => array(
      'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
      'method'  => 'POST',
      'content' => http_build_query($parameters),
    ),
);
$context  = stream_context_create($options);
$result = file_get_contents($wiki, false, $context);
Note: $wiki can be for example http://en.wikipedia.org/w/api.php --Mischa004 (talk) 20:29, 16 February 2015 (UTC)Reply
Looks like you're not passing the cookies from the first request to the second one? I'm afraid I have no idea how that's done in PHP, though. Matma Rex (talk) 20:51, 16 February 2015 (UTC)Reply
Thank you! I have to check this the day after tomorrow,--Mischa004 (talk) 20:56, 16 February 2015 (UTC)Reply

@Mischa004 and Matma Rex: Hi! I'm having the same problem. I always get {"query":{"tokens":{"csrftoken":"+\\"}}} as result and I'm definitely passing the received cookies to the query. Did you solve the problem, Mischa004? --jobu0101 (talk) 17:03, 1 May 2015 (UTC)Reply

I assume you're logging in successfully? (Return value should include result=Success either on the first try for old wikis or after sending the login token for anything newer.) Assuming that part's okay, can you post the relevant part of your code, or at least the command that it's generating, so we can have a look at it? Robin Hood  (talk) 22:00, 1 May 2015 (UTC)Reply
@RobinHood70: Thank you very much. It was my fault. I didn't login properly. I missed the second request which you need when you get {"login":{"result":"NeedToken","token":"...","cookieprefix":"enwiki","sessionid":"..."}} back from the first request. By the way: When I log out, is it true that I then end all sessions and not only the current one? Or isn't it possible to be logged in using the API in more then one session? --jobu0101 (talk) 11:47, 2 May 2015 (UTC)Reply
I don't know the details of how logging in and out works, so I'm not sure if the cookies you get are session-specific or not. If you experiment with it, though, let me know or just add it to the page, because that would be useful info. Also, keep in mind that the MediaWiki sites use CentralAuth, which changes the whole login/logout process significantly. For those, if you log out of an account by either the UI or the API, you're logged out of all sessions on all sites for that user. Robin Hood  (talk) 18:13, 2 May 2015 (UTC)Reply

Unregistered editing

edit

Unregistered users can't get tokens, per above. Does this mean that API:Edit is only for registered users? That sounds like a bug, but is it a bug of the token generation or of the edit API? --Nemo 15:34, 17 August 2015 (UTC)Reply

@Nemo bis: How does the above mean that unregistered users can't get tokens? Matma Rex (talk) 16:05, 17 August 2015 (UTC)Reply
AFAICS above it was said that unregistered users can only get +\\, which AFAICS is inservible as token. If that string can be used as token, it would be useful to document how at API:Edit. --Nemo 16:37, 17 August 2015 (UTC)Reply
+\ is a perfectly serviceable token for anonymous users that you can use exactly like any other token string. Matma Rex (talk) 16:58, 17 August 2015 (UTC)Reply
If you need proof, I just ran my bot on a test wiki without logging in using the following POST command: api.php?action=edit&title=Main Page&text=Some text&summary=Test edit&bot=&md5=9db5682a4d778ca2cb79580bdb67083f&token=+\&format=json&formatversion=2. (The display is prettified slightly, which is why you don't see the second \.) Everything went smoothly and the IP shows up in the history, just as you would expect. Robin Hood  (talk) 17:03, 17 August 2015 (UTC)Reply
Ok, thanks; I added API:Edit#Unregistered users. My error was very silly, I'm still used to the XML format so in quick manual testing I forgot to remove the escaping slash of the JSON format. --Nemo 09:02, 20 August 2015 (UTC)Reply
Is that an XML-only thing? Good to know. It's been so long since I played with it, I'd forgotten. I assumed it was the fact that I was using human-readable text in the URL (e.g., it doesn't show %20, it shows an actual space). Robin Hood  (talk) 16:19, 20 August 2015 (UTC)Reply

Token Lifespan

edit

How long does it take before a token expires? 1 action? or some specific time? Bluedeck 01:13, 11 October 2015 (UTC)Reply

I believe all the tokens provided by this module are good for the entire length of time you're logged in. Some of the older tokens provided by other modules were specific to the action you were taking, but I don't think any of those are required on modern versions (>= 1.24) of MediaWiki. Robin Hood  (talk) 06:59, 11 October 2015 (UTC)Reply
Return to "Tokens" page.