loginTest

This method returns a cons_id if the user is already logged in or could be logged in because of a "remember me" cookie.

Client Servlet	Server Servlet	HTTP Methods Supported	Requires Authentication
CRConsAPI	None.	GET, POST	No.

Client API Syntax

https://secure2.convio.net/organization/site/CRConsAPI?method=loginTest &api_key=value &v=value [ &center_id=value ] [ &error_redirect=value ] [ &redirect=value ] [ &response_format=xml | json ] [ &sign_redirects=value ] [ &source=value ] [ &sub_source=value ] [ &success_redirect=value ] [ &suppress_response_codes=value ]

Usage Notes

The loginTest method allows you to determine whether a user is already logged in to Luminate Online when the user establishes a session with your partner system or attempts to access restricted content.

2020 Update: This method no longer supports HTTP GET requests. Invoke the loginTest method on the secure HTTPS channel to create cookies that comply with the latest Google Chrome updates.

Client API Parameters

Common Client Parameters: See topic Common Parameters.

Response

See topic HTTP Status Codes.

XML response



<?xml version="1.0" encoding="UTF-8"?>
<loginResponse xsi:schemaLocation="http://convio.com/crm/v1.0 http://service.convio.net/xmlschema/crm.public.v1.xsd" xmlns="http://convio.com/crm/v1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <cons_id>100245</cons_id>
  <timestamp>1454341434</timestamp>
  <signature>451e7f1178fa4ed1cc68c44970f29345</signature>
  <token xsi:nil="true"/>
  <login_test_url>https://secure2.convio.net/organization/site/CRConsAPI?v=1.0&amp;api_key=site_api_key&amp;method=loginTest</login_test_url>
  <nonce xsi:nil="true"/>
  <JSESSIONID xsi:nil="true"/>
  <routing_id xsi:nil="true"/>
</loginResponse>

JSON response

{"loginResponse":{"routing_id":null,"login_test_url":"https://secure2.convio.net/organization/site/CRConsAPI?v=1.0&api_key=site_api_key&method=loginTest","timestamp":"1454341434","JSESSIONID":null,"nonce":null,"token":null,"cons_id":"100245","signature":"451e7f1178fa4ed1cc68c44970f29345"}}

Examples

Establishing a Session

When a user comes to the partner system for the first time, the system establishes an initial session. The partner system then wants to check with Luminate Online to determine if the user can be logged in with a "remember me" cookie, or whether the user is already logged in to the Luminate Online system.

The solution in this scenario is to redirect the user to:

				https://[org]/site/CRConsAPI?method=loginTest&api_key=(key)&v=1.0&sign_redirects=true&success_redirect=(page)?cons_id=&error_redirect=(page)?cons_id=0

Upon the user's return, verify the signature and, if cons_id != 0, log in the user. If the cons_id on the return is zero, the partner system should treat that user as an anonymous user.

Accessing Restricted Content

When a user who is not logged in makes a request for content available only to registered users, the partner system will want to check with Luminate Online to see either if the user can be logged in with a "remember me" cookie, or if the user has already logged in to the Luminate Online system.

The solution in this scenario is to redirect the user to https://[org]/site/CRConsAPI?method=loginTest&api_key=(key)&v=1.0&sign_redirects=true&success_redirect=(page)?cons_id=&error_redirect=(login page)

Upon the user's return, verify the signature and, if cons_id != 0, log the user in. If the user is not already logged in, the redirect loads a login page on the partner system. That login page will then follow the steps for the next scenario.

Accessing Restricted Content Without Redirection

This is for the same use case as the Accessing Restricted Content example above, used when the partner system needs to test asynchronously, without waiting on HTTP redirects.

The solution in this scenario is to invoke the API over a secure channel from the browser using JavaScript.

Upon the completion of the API call, if the cons_id field of the response is not zero, then use JavaScript to redirect the browser to the partner site. Pass the cons_id, timestamp, and signature fields from the response to the partner site's server so that the server can verify the authenticity of the request.

Verify the signature the same way you verify signed redirects. To verify the signature, append the cons_id, timestamp, and API secret key into a single text string (without any delimiters between them) and compute its hash value. This value should match the signature provided in the API response. Remember that to prevent "replay" attacks, you should check that the timestamp is within a few seconds of the current time.

The partner site may want to continuously check whether the user has logged in to or out of the Luminate Online hosted site without needing to redirect the browser when such an event occurs. The loginTest method response includes a URL that can be called from the partner site's server, enabling the server to customize the page for the user before sending it to the browser. It is important to note that the initial call must come from the browser to establish a session for the user and to create a URL that is specific to that session.

Comments

Submitted by Steve Brush at 11:45 AM on April 30, 2013

Here's an example of a correct jQuery AJAX call for loginTest: $.ajax({ contentType: 'application/x-www-form-urlencoded', data: 'method=loginTest&api_key=[value]&response_format=json&suppress_response_codes=true&v=1.0', dataType: 'json', success: function(data) { console.log(data); }, type: 'GET', url: 'http://[non-secure domain]/site/CRConsAPI', xhrFields: { withCredentials: true } }); NOTE(!): The xhrFields attribute is required for this to work.