Login Handling Guide

Login Id

All XML requests to the Travelfusion service require a LoginID and an XmlLoginId (except the Login request). The LoginId represents the end user's Travelfusion account. The XmlLoginId represents the account of the XML client (you). In most cases these will both have the same value, as the end user does not normally have their own Travelfusion account. 

Each of these ids can be obtained by submitting a Login request (see Connection Guide). The id returned will be valid indefinitely by default. However Travelfusion supports various security enhancements such that the LoginId can be set to be valid either:

• • For a fixed number of minutes from the moment it was issued, OR

  • For a fixed number of minutes from its last use (i.e. it will be valid indefinitely until it is not used for a certain period of time)

Please contact Travelfusion to discuss these options if you wish to activate either of these raised security levels. 

The LoginId and XmlLoginId must be submitted as child elements of the command name element in every XML request to Travelfusion (except the Login request) - even if they do not appear in the specification for that request. They must also be submitted for non-XML requests such as map generation, and the format will be described in the specification for these requests. Since the map server is a separate server, it must be logged into independently to obtain a separate LoginId for use in map generation requests. A separate username and password will also be needed. 

Security Rules

The security rules currently in place, offered separately or in combination designed for the purpose of only to reduce/prevent fraud. We strongly recommend making use of both features to maximise security. Please note, both features are optional. However, should you decide to not make use of any of the new features, Travelfusion will not take any responsibility for the consequences of any account breaches or fraudulent use of accounts.

IP Whitelisting

Travelfusion will whitelist the IP address(es) you use to connect to our API so your credentials cannot be used from other IPs. If you wish to whitelist your IP address(es) please send a request via email to our Operations team at operations@travelfusion.com

Password Expiry

Users with the password expiry feature enabled should change their password before it expires (password expires every 90 days). This can be done either using the reports portal (https://reports.travelfusion.com/admin/Branch/password/[USERNAME]) or by sending the NewPassword command directly:

<CommandList>

  <NewPassword>

    <Username>[USERNAME]</Username>

    <PasswordCurrent>[CURRENT_PASSWORD]</PasswordCurrent>

    <PasswordNew>[NEW_PASSWORD]</PasswordNew>

  </NewPassword>

</CommandList>

1. Passwords must be between 8 and 20 characters.

2. The only characters allowed are numbers, letters (upper and lower case) and the following special characters: ?!@#$%^+-_=

3. Passwords must contain at least 1 capital letter, 1 lower letter, 1 numbers and 1 special character

• If a user attempts to login with an incorrect password too many times in a row their account will be deactivated. An email will be sent to the user with the subject “Your Travelfusion XML API Username [USERNAME] has been deactivated”.

• If a user forgets their current password they should request a password reset by emailing the operations team. Please include a username and an email address associated with this username.

1. The Operations team will send an email to the user’s contact email address with the subject “Travelfusion password reminder”, please follow the instructions accordingly.

• Users whose passwords will expire within 15 days will receive a daily email reminding them to change their password. The subject of the email is “Your Travelfusion XML API Username [USERNAME] expires in X days“

• When the password is changed the LoginId will also change. The user should retrieve the new LoginId using the Login command: 

<CommandList>

  <Login>

    <Username>[USERNAME]</Username>

    <Password>[PASSWORD]</Password>

  </Login>

</CommandList>

• The old LoginId will continue to be accepted in addition to the new LoginId for 15 minutes after the password is changed, after which it will stop being accepted and the new LoginId must be used.

• If a user does not change their password before it expires then the next time they attempt to run any command (e.g. StartRouting) their user account will be deactivated and an email will be sent to the client indicating that the account has been deactivated and instructing them on how to get it reactivated. The subject of the email is “Your XML API Username [USERNAME] has been deactivated“

If you have any specific requirements not covered by the above, please contact Travelfusion.