Welcome to WebmasterWorld Guest from 54.147.217.76

Forum Moderators: incrediBILL

Message Too Old, No Replies

Shopping basket practices.

Cookies or database?

   
7:41 pm on Jan 7, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I've written a Perl based shopping basket for a client. No javascript involved yet.

It's fairly basic, the basket code generates a session id if you don't already have one, and stores a list of product codes and a timestamp so I can delete old sessions.

The session ID is stored in a cookie.

My question is: would it be unprofessional to store the contents of the basket in a list of product codes, in a cookie? That way there is less load on my server, and the session id is in a cookie already anyways......

I'm just not sure what the 'professional' way to do it is. I'm guessing database but would like oppinions.

8:48 pm on Jan 7, 2008 (gmt 0)

10+ Year Member



I don't know if there are any technical reasons not to use a cookie, but think of the business reasons:

1. You wouldn't know how many shopping carts were abandoned.

2. You wouldn't know what products people are putting in their cart and then abandoning their carts.

3. What if someone had something in their cart but then that item sold out before that person checked out?

12:58 am on Jan 9, 2008 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



4. What if the end user has cookies disabled?

:-)

I don't know about "best" but what I do is store the cart selections server-side. Here is my reasoning.

If you store vars "in-page" as hidden values, this gives a potential hacker insight into How Things Work. Also it can be quite cumbersome after a while, carrying around a bunch of hidden values, or make for long and cumbersome query strings.

If you rely too heavily on cookies, same deal, and there **is** a limitation on how much data you can set in a cookie.

I try to keep it minimal: I use a shoppers' cookie *only* for the id that connects them with their cart. If the cookie cannot be read after the first item is added, they get a BIG WARNING that they won't be able to navigate out of the shopping cart because they have cookies disabled.

The really big advantage is as mentioned in the second post: through your admin interface, you can view all specific details of the abandoned orders, and trace their paths backwards through your site.

For me, it's just as important to keep it simple, I'd rather load up the database with static values than have to chase around dynamic values when something is broken.

5:13 pm on Jan 9, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Thanks for the suggestions guys. I think I will stick to the database.

rocknbil:

4. What if the end user has cookies disabled?

I use a shoppers' cookie *only* for the id that connects them with their cart

Pot.....kettle......black.....

;)

I don't really think it's possible to avoid that cookie, unless you append your session ID onto every URL, but that would be very messy.

6:36 pm on Jan 9, 2008 (gmt 0)

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



I don't really think it's possible to avoid that cookie...

Out of curiosity I've just been 'shopping' at a handful of the biggest online shops I could think of with cookies disabled and none of them could keep track of my shopping cart.

A couple at least gave a warning that I needed to have cookies enabled. Another gave a warning that 'something' was wrong and the others just carried on regardless, except that my cart was empty (or at least it was after I navigated to another page).

6:46 pm on Jan 9, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



That would seem to suggest that at least a session cookie is the way to go.

I've also been enquiring about javascript and forms for the same thing - see this thread.
[webmasterworld.com...]

The site I looked at used 5 different forms for it's shopping cart to avoid using javascript.

6:10 pm on Jan 11, 2008 (gmt 0)

5+ Year Member



If you do not want me to come to your e-commerce site and look at someone else's shopping cart, with all credit card information, never keep ShoppingCartId on a user site (hence cookies). You (everyone) can easily modify his cookie and change ShoppingCartID from 4 to 5.

Use random 15 characters long string to identify user. But then why not use Session object provided all modern languages like PHP, ASP...

George.

[edited by: George2006 at 6:11 pm (utc) on Jan. 11, 2008]

6:51 pm on Jan 12, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Well thanks George2006 'new user' for that nugget of wisdom.

someone else's shopping cart, with all credit card information

I don't keep credit card information in with the shopping cart data. That would imply the user would have to give it before being able to add an item to the cart.

Second, I don't actually store the numbers on the server at all. Too much red tape and security risk.

You (everyone) can easily modify his cookie and change ShoppingCartID from 4 to 5.

You could, but it wouldn't work unless you also knew the MD5 hash of the cart contents.

Use random 15 characters long string to identify user

I actually use a timestamp, user IP, PID, and some random numbers to make a 32 character number string.

5:02 pm on Jan 15, 2008 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Pot.....kettle......black.....I don't really think it's possible to avoid that cookie...

If the cookie cannot be read after the first item is added, they get a BIG WARNING that they won't be able to navigate out of the shopping cart because they have cookies disabled.

By limiting the cookie contents to **just** an identifier to connect it to the cart items, all of the functional dependence is server side. If cookies are disabled, this still allows you to collect the order. If your cart data is stored in the cookie, you have nothing.

6:58 pm on Jan 15, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Aah, ok. I see your point. I thought that post was amusing - you diss'd cookies and then said that you used one. Now I see what you meant.

Yes I have gone down this route.

3:50 pm on Jan 16, 2008 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Dissed? Nah I love cookies. They're how I keep my girlish figure.

But I always have ice cream to serve if the cookie jar is empty.