Member Access

felgall · May 4, 2015, 2:43am

There are no usernames in the system - it works off member numbers and while there are large gaps for resigned and deceased members in the lower number range, if you picked a member number around 8000 then there would almost certainly be a current member with that number - from there you could probably find a valid member number / branch combination within two or three guesses. Ideally the member should be required to login properly to the main site and have that determine their access to any other club site.

oddz · May 4, 2015, 3:07am

Do you have access to each users email info on your system. If so you could use that instead of username.

Mittineague · May 4, 2015, 3:18am

Yes, there will need to be at least one (preferably more) piece of of info data to reference.

I would think “member name”, “email address” and “password” would be good candidates. Using “member id number” would be a problem.

s_molinari · May 4, 2015, 3:42am

You’ll probably want to have a “branch token” given to each branch too. That will help make the API safer, by at least keeping the control of the API’s use in your hands. If you feel a branch is abusing the API, you can just void the token and only that branch is no longer allowed to use the API.

Scott

felgall · May 4, 2015, 5:58am

For those who have supplied emails addresses I do. Those who haven’t are unable to login at all since they need to supply an email address to receive an email with a link to login for the first time.

Perhaps not - we have multiple members with the same name (for a while there was another member with my name and we were both writing for the club magazine and regularly got mail intended for the other), multiple members sharing email addresses (often families only have one address for husband and wife and children) and I don’t want the members entering their password anywhere other than on the main site. We even have at least one instance where father and son have the same name and email address. The only value guaranteed to be unique for a member is their membership number.

From the suggestions so far I have thought of a way to provide a one way link - from the main site to the branch site.

When each member logs in to the main site it creates a token that gets passed in the session that is used to identify the member until they log out or close their browser or the session times out.
I could set up a link from the main site to the branch site that passes this token
if the branch site were to then pass back the same token and the branch token I could then supply member details such as member number, name etc

This would at least maintain the necessary security on the main site,

system · August 3, 2015, 1:00pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.