four or five shopping cart design questions

From: "G.E.M.P" <slowtorture@xxxxxxxxxxxx>
Date: Wed, 18 Jan 2006 05:18:27 -0700

High Level Session Handling Design for a Shopping cart
0) What am I missing?
1) How does OSCommerce do it?

I'm thinking about building a shopping cart from scratch,
using a library of dynamic screen generation routines
(already written) that take an XML stream as input from
various "search for products" forms. That way I can
run queries in one window and display the dynamic
results in another. The searching functions will probably
not index into a relational schema. Instead I'll use
Lucene to parse keywords and values out of XML-based product
descriptions. I know a lot about XML, Lucene, Xpath, XQuery
and dynamic screen rendering. But I have no experience
(at all) working with shopping carts in general.

2) How does repeat customer session handling usually work?
When a customer first logs in we generate a sessionID
and send it back to the client as a cookie.

Later on in the session, and before we can consumate a purchase,
they have to supply name address and (https) credit card number. We
put that stuff (not including the credit card number), along with the
sessionID, into a database of some kind. That part (customer contact info)
may well be mysql.

Any current shopping cart items are handled as
session memory items. Session memory will probably track items
with a hashed array of productObject types, which is a complex
object class that includes lots of generic stuff about each product
in the catalog (name, inventoryID, etc)
That way we can jump from screen
to screen without losing session, while finishing up at a "review cart" screen.

Review cart has cart-editing features (two of these, none of those)
plus contact information editing, plus a "Make Purchase" button that sends the transaction
off to a 3rd party transaction handler, sends an email receipt
to the customer and then prints a Thank You screen. It's probably a good idea NOT to store
credit card numbers on the server. Instead we hold it just
long enough to clear the transaction.

3) What security pitfalls surround holding credit card information
in session memory? How long do we keep credit card numbers?

5) If the customer negotiates his/her way all the way out to
the cart editing screen, where they do fill in a card number, name
and address, and then change their mind, and go back to
the shoppingMode screens, do we NULL out the credit card in
session memory? Or keep it around. And if so for how long?

Follow-Ups:
- Re: four or five shopping cart design questions
  - From: d
- Re: four or five shopping cart design questions
  - From: G.E.M.P

Prev by Date: sessions - two with same session ID as the same time
Next by Date: Setting Interbase dialect to 3 using ADODB Ver 4.70.
Previous by thread: sessions - two with same session ID as the same time
Next by thread: Re: four or five shopping cart design questions
Index(es):
- Date
- Thread