About Tickets

The “ticket” for a case is a generated 16-character value, that, when combined with the case number, allows outside users to see certain parts, and attributes of, their case. It used to be generated only for cases emailed into the system, but is now generated for all cases.

The chance of a random outside user guessing this ticket value is 36 to the power of 16, about 7.959 * 10^24 to 1. Coincidentally, you’re an order of magnitude more likely to pick a single carbon atom out of 12 grams of pure Carbon-12 (1 mole).

More specifically, there are 7,958,661,109,946,400,884,391,936 possible values for a given case.

If someone was trying to “brute force” access to a case, you would almost certainly detect the millions of hits on the same case, and we certainly will detect it on our servers (for those folks on Manuscript On Demand).

Sending a Ticket

You can send a customer the ticket url using a snippet, like this:

1. Go to Avatar menu > Snippets

2. Create a snippet called ticket

3. Put the following in the snippet: {ticketurl}

4. Now, you have a fancy new ticket url snippet called “ticket”

Any person in possession of the ticket url will have a limited view of that case and any other cases opened by the same correspondent.

Removing Ticket Access to a Case

Ticket URLs can be removed from cases one at a time. Using the default.asp endpoint, pass the case number and ticket with an underscore (_) between them and the command parameter removeExternalAccess. For example, if case 1234’s ticket is 42umo5hjc1h6vurl and your Manuscript site is http://example.manuscript.com/, go to:

http://example.manuscript.com/default.asp?1234_42umo5hjc1h6vurl&command=removeExternalAccess

to remove the ticket URL for the case. As a result, http://example.com/manuscript/default.asp?1234_42umo5hjc1h6vurl will no longer allow access to case 1234. There is no way to restore ticket access to a case once it is removed.