Kelvin,

Sessions is just one of the items recommended for an e-commerce website.  I
seem to recall that if cookies were not enabled that there was a way of
passing the session id in the URL as a "Get" parameter.

Basically you will store the items to be purchased in a special table and a
shopper ID or cart ID number will be assigned with the first selected item
and needs to be retained to be able to recall the selected items when the
shopper is ready to check out.  A session variable is a good place to store
this id, but it could also be passed in the form as a hidden field.  A
session is also a convenient way of providing a generic storage of the items
to be purchased, separate table is possibly more common.  You don't have to
be too concerned about security up to the point where someone begins to
check out when you begin gathering personal information from the buyer.
Give it some thought, but I suspect in most cases that if someone were to
capture a session at this point, the worse that could happen is they would
both order and pay for the same items.

When you gather personal information it becomes a different matter, and at
this point I would first recomment you consider passing your order items to
a resource like paypal and let them collect the personal information.  If
that is not possible you will want to switch to SSL communication with the
browser before when you present your form for the personal information, and
even in this mode I would recommend that if you detect errors on the forma
and need to represent the form for the buyer to correct info, toss away the
credit card info and have them reenter it.  You do not want to store this in
your session, or anywhere on your system without really secure incryption
(I'm talking about the DB side here, not the SSL channel to the browser).

Once you begin collecting personal information (and this is not limited to
the obvious like social security numbers), you should make sure the session
cannot be hijacked, to prevent identity theft, this is where cookies work so
well.  Anyone who doesn't allow cookies is forcing you into a situation
where you must expose their session information in the URL or a hidden field
on the form where it can be hijacked, in which case I would refuse to have
them as a customer, it's not worth the risk.

Hope this helps,

Warren
 

-----Original Message-----
From: Kelvin Park [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 17, 2007 3:02 PM
To: php-general@lists.php.net
Subject: [PHP] About Session And Cookies

I am trying to setup a secure login system.
I've heard that if I use just cookies for login, members without cookie
turned out won't be able to see the member pages.

Is using session recommended for e-commerce websites with shopping carts?
Or, using both of them might be more effective in some way.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to