I don't know if there are any technical reasons not to use a cookie, but think of the business reasons:
1. You wouldn't know how many shopping carts were abandoned.
2. You wouldn't know what products people are putting in their cart and then abandoning their carts.
3. What if someone had something in their cart but then that item sold out before that person checked out?
4. What if the end user has cookies disabled?
I don't know about "best" but what I do is store the cart selections server-side. Here is my reasoning.
If you store vars "in-page" as hidden values, this gives a potential hacker insight into How Things Work. Also it can be quite cumbersome after a while, carrying around a bunch of hidden values, or make for long and cumbersome query strings.
If you rely too heavily on cookies, same deal, and there **is** a limitation on how much data you can set in a cookie.
I try to keep it minimal: I use a shoppers' cookie *only* for the id that connects them with their cart. If the cookie cannot be read after the first item is added, they get a BIG WARNING that they won't be able to navigate out of the shopping cart because they have cookies disabled.
The really big advantage is as mentioned in the second post: through your admin interface, you can view all specific details of the abandoned orders, and trace their paths backwards through your site.
For me, it's just as important to keep it simple, I'd rather load up the database with static values than have to chase around dynamic values when something is broken.
Thanks for the suggestions guys. I think I will stick to the database.
|4. What if the end user has cookies disabled? |
|I use a shoppers' cookie *only* for the id that connects them with their cart |
I don't really think it's possible to avoid that cookie, unless you append your session ID onto every URL, but that would be very messy.
|I don't really think it's possible to avoid that cookie... |
Out of curiosity I've just been 'shopping' at a handful of the biggest online shops I could think of with cookies disabled and none of them could keep track of my shopping cart.
A couple at least gave a warning that I needed to have cookies enabled. Another gave a warning that 'something' was wrong and the others just carried on regardless, except that my cart was empty (or at least it was after I navigated to another page).
That would seem to suggest that at least a session cookie is the way to go.
If you do not want me to come to your e-commerce site and look at someone else's shopping cart, with all credit card information, never keep ShoppingCartId on a user site (hence cookies). You (everyone) can easily modify his cookie and change ShoppingCartID from 4 to 5.
Use random 15 characters long string to identify user. But then why not use Session object provided all modern languages like PHP, ASP...
[edited by: George2006 at 6:11 pm (utc) on Jan. 11, 2008]
Well thanks George2006 'new user' for that nugget of wisdom.
|someone else's shopping cart, with all credit card information |
I don't keep credit card information in with the shopping cart data. That would imply the user would have to give it before being able to add an item to the cart.
Second, I don't actually store the numbers on the server at all. Too much red tape and security risk.
|You (everyone) can easily modify his cookie and change ShoppingCartID from 4 to 5. |
You could, but it wouldn't work unless you also knew the MD5 hash of the cart contents.
|Use random 15 characters long string to identify user |
I actually use a timestamp, user IP, PID, and some random numbers to make a 32 character number string.
|Pot.....kettle......black.....I don't really think it's possible to avoid that cookie... |
|If the cookie cannot be read after the first item is added, they get a BIG WARNING that they won't be able to navigate out of the shopping cart because they have cookies disabled. |
By limiting the cookie contents to **just** an identifier to connect it to the cart items, all of the functional dependence is server side. If cookies are disabled, this still allows you to collect the order. If your cart data is stored in the cookie, you have nothing.
Aah, ok. I see your point. I thought that post was amusing - you diss'd cookies and then said that you used one. Now I see what you meant.
Yes I have gone down this route.
Dissed? Nah I love cookies. They're how I keep my girlish figure.
But I always have ice cream to serve if the cookie jar is empty.