Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Should I add shopping cart items to session table or create new table?

by powerhouse (Friar)
on Mar 23, 2003 at 18:46 UTC ( #245296=perlquestion: print w/ replies, xml ) Need Help??
powerhouse has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I am using Apache::Session::MySQL to maintain sessions, and they last for 1 year, or until the user expires them. It places a cookie on their computer to track the session key, and it checks to make sure the cookie is present, if not, then it adds the session key to the url, and it's passed to every page.

With that said, I am about to add the Shopping Cart functions to our site. Should I create ANOTHER MySQL table to hold all the shopping cart items, OR Should I just put them in the session?

I don't know what would be best. I think that if it was in the session then it would be easier to maintain, and the session keys are pretty hard to guess, but since they are passed to EVERY page, in the event the user does not accept cookies, then it would be fairly easy for a hacker to sniff it out, and then just add the session key to their session, and take it over.

Also of note, however, is the fact that I'm using PayPal to process orders, so I don't maintain any financial data, so it would not benefit a hacker to hijack a session, since they could not get any finanical data anyways.

What would YOU do?

I would like to read about what you personally, as a perl guru or not, would do.

thx,
Richard

Title edit by tye

Comment on Should I add shopping cart items to session table or create new table?
Re: Advise, Should I...
by Jaap (Curate) on Mar 23, 2003 at 18:58 UTC
    How can you 'put a shopping cart in a session'? You need to store the ordered items somewhere, either in a cookie or serverside.

    The cookie method is probably the easier one. If people diable cookies on their browser, or they use a browser which doesn't eat cookies, they'll understand they can't order.
      Well, I can put them in variables....

      $sess_ref->attr("sco_$item_num",$quantity);
      Then to retreive it, do a foreach...
      foreach my $key (keys (%{$sess_ref})) { if ($key =~ /^sco_/) { # ok this is a Shopping Cart Ordered Item, added to the list } }
      Something like that.

      I want to keep everything server side, so I guess I should not use the session to maintain it.

      I guess I'll use a MySQL Table, for that also, that way if the user logs in on another machine, like at work or a friends house, they will be able to continue that order, since it will be by username, instead of session id.

      So, I guess that answers my question ;o)

      thx,
      Richard
Re: Advise, Should I...
by pfaut (Priest) on Mar 23, 2003 at 19:24 UTC

    The shopping cart should be implemented separately from the session. This will allow the user to log in at a later date from a different browser and continue their shopping.

    --- print map { my ($m)=1<<hex($_)&11?' ':''; $m.=substr('AHJPacehklnorstu',hex($_),1) } split //,'2fde0abe76c36c914586c';
      Yeah, I'm working on it now...

      tougher then I thought It would be. ;o)

      thx,
      Richard
Re: Advise, Should I...
by perrin (Chancellor) on Mar 23, 2003 at 21:49 UTC
    Definitely keep the shopping cart separate from the session. Transient data like the user's ID and login status go in the session. Data that applies to multiple users or lasts longer than the current browsing session never goes in the session.

    By the way, cookies are not more secure than URLs. They are passed as plain text, and anyone who has access to sniff packets on the user's local network can grab and use either. Cookies are passed (from the client) on every request.

    If you want sessions that are more than just "hard to guess", use an MD5 hash with a secret password on your side as part of the cookie, to verify that the cookie data actually came from you. This does not prevent people from sniffing the cookie off the wire, but it does prevent them from using a brute force attack to guess a valid session ID.

Re: (nrd) Should I add shopping cart items to session table or create new table?
by newrisedesigns (Curate) on Mar 24, 2003 at 12:45 UTC

    Personally?

    I wouldn't trust myself. If this shopping cart is for a client, and is not being written just for fun, I'd download Interchange, an open-source shopping cart script and use that. Security before pride, especially if the code is for someone else.

    If this is just for fun, my suggestion is keep the session and the cart apart. Stuffing all the information into one session that's passed back and forth would work, however, for debugging (and future additions) sake, keep them seperate. If you feel the need, you could always integrate them later.

    John J Reiser
    newrisedesigns.com

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://245296]
Approved by Zaxo
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (14)
As of 2014-08-27 19:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (250 votes), past polls