[thelist] ASP: Shopping Cart Theory

Paul Cowan evolt at funkwit.com
Mon Jul 8 19:16:01 CDT 2002


Norman wrote:
> AFAIK IIS doesn't assign a new session if the user opens a new window.
The
> session cookie is available to all instances of the new browser, the user
> would have to shut down all their browser windows and then open a new
> instance of it and then connect to the site again to create a new session.

Sort of.

ASP Session IDs use "per-session cookies", not "persistent cookies". When
you close your browser, all per-session cookies are deleted, but persistent
cookies are kept until their time expires.

However, there's some caveats when using IE.

If you are browsing a site that uses ASP Sessions, and launch a new window
by hitting Control-N, or "open link in new window", or "file -> new window",
then your per-session cookie will be kept, and you can have two windows
browsing the same site sharing the same session (requests with the same
session ID are serialized -- i.e. put in a queue so they can't run
at the same time -- so you don't have to worry about things happening out
of order).

BUT: if you launch a new window not by doing the above, but by
double-clicking
on the Internet Explorer icon or choosing it from the Start menu or
whatever,
then you WILL get a new "session" as far as IE is concerned (and hence ASP).

So watch out for that one.

(A little bit of cookie info here:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q223799 )


Also, my 2 cents on the topic of session vs. storing shopping cart
in cookies: remember, if you store the whole cart in cookies, cookies are
not inherently secure. If you send a cookie to the user:
    Capdabbler:Red:1:$2.95
    Capdabbler:Blue:2:$5.90
    Left-Handed Smendler:Red:1:$21.95
then there is nothing at all to stop the customer editing that cookie,
one way or another, to make the Left-Handed Smendler only cost 20 cents.
If you don't validate what comes back from the customer, then you might
find yourself selling a lot of cheap Smendlers.

Just watch for that one.

Cheers,

Paul




More information about the thelist mailing list