homepage Welcome to WebmasterWorld Guest from 54.226.180.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
Shopping basket practices.
Cookies or database?
Dabrowski




msg:3542518
 7:41 pm on Jan 7, 2008 (gmt 0)

I've written a Perl based shopping basket for a client. No javascript involved yet.

It's fairly basic, the basket code generates a session id if you don't already have one, and stores a list of product codes and a timestamp so I can delete old sessions.

The session ID is stored in a cookie.

My question is: would it be unprofessional to store the contents of the basket in a list of product codes, in a cookie? That way there is less load on my server, and the session id is in a cookie already anyways......

I'm just not sure what the 'professional' way to do it is. I'm guessing database but would like oppinions.

 

stajer




msg:3542571
 8:48 pm on Jan 7, 2008 (gmt 0)

I don't know if there are any technical reasons not to use a cookie, but think of the business reasons:

1. You wouldn't know how many shopping carts were abandoned.

2. You wouldn't know what products people are putting in their cart and then abandoning their carts.

3. What if someone had something in their cart but then that item sold out before that person checked out?

rocknbil




msg:3543658
 12:58 am on Jan 9, 2008 (gmt 0)

4. What if the end user has cookies disabled?

:-)

I don't know about "best" but what I do is store the cart selections server-side. Here is my reasoning.

If you store vars "in-page" as hidden values, this gives a potential hacker insight into How Things Work. Also it can be quite cumbersome after a while, carrying around a bunch of hidden values, or make for long and cumbersome query strings.

If you rely too heavily on cookies, same deal, and there **is** a limitation on how much data you can set in a cookie.

I try to keep it minimal: I use a shoppers' cookie *only* for the id that connects them with their cart. If the cookie cannot be read after the first item is added, they get a BIG WARNING that they won't be able to navigate out of the shopping cart because they have cookies disabled.

The really big advantage is as mentioned in the second post: through your admin interface, you can view all specific details of the abandoned orders, and trace their paths backwards through your site.

For me, it's just as important to keep it simple, I'd rather load up the database with static values than have to chase around dynamic values when something is broken.

Dabrowski




msg:3544149
 5:13 pm on Jan 9, 2008 (gmt 0)

Thanks for the suggestions guys. I think I will stick to the database.

rocknbil:

4. What if the end user has cookies disabled?

I use a shoppers' cookie *only* for the id that connects them with their cart

Pot.....kettle......black.....

;)

I don't really think it's possible to avoid that cookie, unless you append your session ID onto every URL, but that would be very messy.

penders




msg:3544243
 6:36 pm on Jan 9, 2008 (gmt 0)

I don't really think it's possible to avoid that cookie...

Out of curiosity I've just been 'shopping' at a handful of the biggest online shops I could think of with cookies disabled and none of them could keep track of my shopping cart.

A couple at least gave a warning that I needed to have cookies enabled. Another gave a warning that 'something' was wrong and the others just carried on regardless, except that my cart was empty (or at least it was after I navigated to another page).

Dabrowski




msg:3544254
 6:46 pm on Jan 9, 2008 (gmt 0)

That would seem to suggest that at least a session cookie is the way to go.

I've also been enquiring about javascript and forms for the same thing - see this thread.
[webmasterworld.com...]

The site I looked at used 5 different forms for it's shopping cart to avoid using javascript.

George2006




msg:3545988
 6:10 pm on Jan 11, 2008 (gmt 0)

If you do not want me to come to your e-commerce site and look at someone else's shopping cart, with all credit card information, never keep ShoppingCartId on a user site (hence cookies). You (everyone) can easily modify his cookie and change ShoppingCartID from 4 to 5.

Use random 15 characters long string to identify user. But then why not use Session object provided all modern languages like PHP, ASP...

George.

[edited by: George2006 at 6:11 pm (utc) on Jan. 11, 2008]

Dabrowski




msg:3546724
 6:51 pm on Jan 12, 2008 (gmt 0)

Well thanks George2006 'new user' for that nugget of wisdom.

someone else's shopping cart, with all credit card information

I don't keep credit card information in with the shopping cart data. That would imply the user would have to give it before being able to add an item to the cart.

Second, I don't actually store the numbers on the server at all. Too much red tape and security risk.

You (everyone) can easily modify his cookie and change ShoppingCartID from 4 to 5.

You could, but it wouldn't work unless you also knew the MD5 hash of the cart contents.

Use random 15 characters long string to identify user

I actually use a timestamp, user IP, PID, and some random numbers to make a 32 character number string.

rocknbil




msg:3548820
 5:02 pm on Jan 15, 2008 (gmt 0)

Pot.....kettle......black.....I don't really think it's possible to avoid that cookie...

If the cookie cannot be read after the first item is added, they get a BIG WARNING that they won't be able to navigate out of the shopping cart because they have cookies disabled.

By limiting the cookie contents to **just** an identifier to connect it to the cart items, all of the functional dependence is server side. If cookies are disabled, this still allows you to collect the order. If your cart data is stored in the cookie, you have nothing.

Dabrowski




msg:3548945
 6:58 pm on Jan 15, 2008 (gmt 0)

Aah, ok. I see your point. I thought that post was amusing - you diss'd cookies and then said that you used one. Now I see what you meant.

Yes I have gone down this route.

rocknbil




msg:3549774
 3:50 pm on Jan 16, 2008 (gmt 0)

Dissed? Nah I love cookies. They're how I keep my girlish figure.

But I always have ice cream to serve if the cookie jar is empty.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved