Travelfusion Direct Connect XML API > Guidelines >

Login Handling Guide

Login Id

All XML requests to the Travelfusion service require a LoginID and an XmlLoginId (except the Login request). The LoginId represents the end user's Travelfusion account. The XmlLoginId represents the account of the XML client (you). In most cases these will both have the same value, as the end user does not normally have their own Travelfusion account.

Each of these ids can be obtained by submitting a Login request (see Connection Guide). The id returned will be valid indefinitely by default. However Travelfusion supports various security enhancements such that the LoginId can be set to be valid either:

- For a fixed number of minutes from the moment it was issued, OR
- For a fixed number of minutes from its last use (i.e. it will be valid indefinitely until it is not used for a certain period of time)

Please contact Travelfusion to discuss these options if you wish to activate either of these raised security levels.

The LoginId and XmlLoginId must be submitted as child elements of the command name element in every XML request to Travelfusion (except the Login request) - even if they do not appear in the specification for that request. They must also be submitted for non-XML requests such as map generation, and the format will be described in the specification for these requests. Since the map server is a separate server, it must be logged into independently to obtain a separate LoginId for use in map generation requests. A separate username and password will also be needed.

Security Rules

There are various other security features relating to the logins. These rules are not active by default but may be activated if required (Please contact Travelfusion in this case). Some examples are:

- If the wrong password is used 3 times in a row, the account can be deactivated.
- A 'logout' request can be sent at any time to cancel a LoginId. This can be used to provide additional security.
- Password changes can be forced periodically. This is fully configurable.
- A forgotten password facility exists which enables users to receive an email enabling them to select a new password. This requires security questions to be answered.
- Each username has only one valid login id at any time. Each login request can cause the existing login id to be replaced by a new one