COMP3121 COMP3121 E-Commerce TechnologiesE-Commerce Technologies

Richard HensonRichard Henson

University of WorcesterUniversity of Worcester

NovemberNovember 20102010

Week 7: More on Server-side Week 7: More on Server-side Shopping CartsShopping Carts

ObjectivesObjectivesDiscuss relative merits and problems of Discuss relative merits and problems of

server-side shopping cartsserver-side shopping cartsPlan and design a relational database for use Plan and design a relational database for use

in storing product and customer datain storing product and customer dataUse pre-written server behaviours with the Use pre-written server behaviours with the

VWD environmentVWD environmentIntegrate pre-written server behaviours to Integrate pre-written server behaviours to

assemble a server-side shopping cart systemassemble a server-side shopping cart system

Shopping System ProcessesShopping System Processes

Extract buying Data for item

Create product and order totals

Display online order

Extract customer details

Send relevant details to secure server

for online payment

Display online invoice including any

additional charges

Provide fulfilment information

to customer via email

Possible Data Model with Possible Data Model with entities/attributes addedentities/attributes added

Which comes first… the Which comes first… the chicken or the egg?chicken or the egg?

Which to develop first… data model or Which to develop first… data model or process model?process model?Much debate…Much debate…

Generally, it is considered to be a good Generally, it is considered to be a good idea to start with the data…idea to start with the data…That means:That means:

» identifying the ENTITIESidentifying the ENTITIES» modelling their relationshipsmodelling their relationships» Adding the ATTRIBUTESAdding the ATTRIBUTES

Possible basic data (entity) Possible basic data (entity) model for a Shopping Systemmodel for a Shopping System

customer

Order line

orderproduct

No entityrelationships shown! Where does

Shopping Cart fit?

Creating the Physical Database Creating the Physical Database from a Logical Designfrom a Logical Design

Database that can work with SQL required…Database that can work with SQL required… Popular options for small(ish) databases:Popular options for small(ish) databases:

Microsoft AccessMicrosoft Access» only Access 2000 onwards properly SQL compliantonly Access 2000 onwards properly SQL compliant

MySQLMySQL» originally shareware for Unixoriginally shareware for Unix» now available for W2Know available for W2K

Popular options for larger databases:Popular options for larger databases: SQLServerSQLServer ORACLEORACLE

Testing the Logical Design Testing the Logical Design with Physical Data…with Physical Data…

It works on paper…It works on paper… But a practical working model is needed:But a practical working model is needed:

create database tablescreate database tableslink them together, according to the Entity link them together, according to the Entity

model you createdmodel you createdpopulate the tables with trial data of an populate the tables with trial data of an

appropriate formatappropriate formatmake sure all is consistentmake sure all is consistent

Typical RAD tool “errors”…Typical RAD tool “errors”… MUCH can go wrong…!!!MUCH can go wrong…!!! Before embarking on shopping cart Before embarking on shopping cart

development…development… need to make sure all loca/remote web server settings need to make sure all loca/remote web server settings

are correctare correct screen fields and db fields must use the same formatscreen fields and db fields must use the same format

» mustn’t use “reserved words” or punctuation, inc spacesmustn’t use “reserved words” or punctuation, inc spaces users must have sufficient access rights to write to the users must have sufficient access rights to write to the

databasedatabase» this especially includes the “IIS process” userthis especially includes the “IIS process” user

major adjustments may be needed in response to a major adjustments may be needed in response to a minor change in design…minor change in design…

» TRUE OF MOST SOFTWARE DEVELOPMENT TRUE OF MOST SOFTWARE DEVELOPMENT PROJECTS…PROJECTS…

» all the more reason to get the design right…all the more reason to get the design right…

Benefits of using a RAD toolBenefits of using a RAD tool Puts a huge array of asp.net objects and Puts a huge array of asp.net objects and

behaviours at your disposalbehaviours at your disposal Provides the local, remote, and application/testing Provides the local, remote, and application/testing

server options to aid development and testingserver options to aid development and testing Helps you set up controls to support the execution Helps you set up controls to support the execution

of aspx files within the .net frameworkof aspx files within the .net framework Uses objects and behaviours to create GET and Uses objects and behaviours to create GET and

PUT HTML pages to interact with the databasePUT HTML pages to interact with the database Provides for seamless database connectivityProvides for seamless database connectivity Allows easy ftping to a remote server on the wwwAllows easy ftping to a remote server on the www

Role of Server Behaviours in Role of Server Behaviours in creating Product Pagescreating Product Pages

After the database has been After the database has been thoughtfully thoughtfully designed…designed…it needs to be physically implementedit needs to be physically implemented

Server behaviours with appropriate Server behaviours with appropriate embedded SQL are then required for:embedded SQL are then required for:picking the right data out of the remote picking the right data out of the remote

databasedatabasewriting data to the appropriate locations in writing data to the appropriate locations in

HTML pages on the local client browserHTML pages on the local client browser

Local storage of “remote” dataLocal storage of “remote” data

Asp.net supports local storage of data through Asp.net supports local storage of data through the use of the use of datasetsdatasetssimply a local copy of various data fields held on a local copy of various data fields held on

one or more data tables on the remote databaseone or more data tables on the remote database each field becomes a variable in local memoryeach field becomes a variable in local memory

The dataset fields map directly onto the fields The dataset fields map directly onto the fields in the remote databasein the remote database new data can therefore always be stored locally until new data can therefore always be stored locally until

the appropriate server command is made that writes the appropriate server command is made that writes it to the remote databaseit to the remote database

The Dataset Display The Dataset Display (one record)(one record)

As you have seen, VWD facilitates the set up As you have seen, VWD facilitates the set up of datasets & datagridsof datasets & datagrids

Can then be used to display dataset data on Can then be used to display dataset data on a HTML page, as the shopping carta HTML page, as the shopping cart a from/further control can be used to create a a from/further control can be used to create a

HTML table for displaying a single recordHTML table for displaying a single record a navigation bar object can then be added and a navigation bar object can then be added and

used to navigate to other recordsused to navigate to other records

Use of “Repeated Region”Use of “Repeated Region”

To display Multiple Records from a defined To display Multiple Records from a defined dataset, the following procedure is needed:dataset, the following procedure is needed: highlight the row where data is displayedhighlight the row where data is displayed

» data only – not column headingsdata only – not column headings

choose “Repeat Region” from the available Server choose “Repeat Region” from the available Server BehavioursBehaviours

select the number of records you wish to display select the number of records you wish to display (10 is the default)(10 is the default)

Making the Product Pages Making the Product Pages Attractive and UsableAttractive and Usable

All the principles of web page design learned All the principles of web page design learned in COMP1141, 2121, 2040, etc. should still in COMP1141, 2121, 2040, etc. should still apply:apply: use Templates and CSS if possible to give all the use Templates and CSS if possible to give all the

pages a common background layout and that same pages a common background layout and that same look and feellook and feel

also make use of VWD’s client behaviours, written also make use of VWD’s client behaviours, written in various languagesin various languages

make sure the pages load quickly by using software make sure the pages load quickly by using software such as Photo Editor or PhotoShop keeping such as Photo Editor or PhotoShop keeping graphics small, of lower resolution, or bothgraphics small, of lower resolution, or both

Encouraging Encouraging Customer InteractionCustomer Interaction

The next stage of the product pages is the The next stage of the product pages is the customer interactivity that represents buyingcustomer interactivity that represents buying

Again, server behaviours must be Again, server behaviours must be written/engineered/used to extract the data written/engineered/used to extract the data from various types of HTML forms and store from various types of HTML forms and store it:it: temporarily in the local datasetstemporarily in the local datasets permanently in the remote databasepermanently in the remote database

How to capture “buying” dataHow to capture “buying” data Needs to be triggered from the shopping pagesNeeds to be triggered from the shopping pages

hotlink that passes the product record ID to a newly created hotlink that passes the product record ID to a newly created session cookiesession cookie

» Known as THE CART…Known as THE CART… and extracts other data to the cart from the product table e.g. and extracts other data to the cart from the product table e.g.

priceprice Each new cookie needs an IDEach new cookie needs an ID

a cookie represents an order…a cookie represents an order…» orderID represents cookieIDorderID represents cookieID

each new product ordered creates an orderlineeach new product ordered creates an orderline» Each orderline needs an IDEach orderline needs an ID

In a real shopping systems, orders and orderlines are In a real shopping systems, orders and orderlines are saved to a remote databasesaved to a remote database essential for a business to keep transaction records…essential for a business to keep transaction records…

When to collect customer dataWhen to collect customer data Long standing debate amongst shopping cart Long standing debate amongst shopping cart

designers…designers… Can either:Can either:

make customers “register” when they enter the sitemake customers “register” when they enter the site Or… only make customers register when they are Or… only make customers register when they are

ready to buyready to buy The former might be better from a marketing The former might be better from a marketing

perspective (collecting “intelligence” on potential perspective (collecting “intelligence” on potential customers…)customers…) but will put some customers off even browsing the sitebut will put some customers off even browsing the site

Customer registration only when buying is Customer registration only when buying is preferable preferable IMHOIMHO

The Shopping CartThe Shopping Cart In Dreamweaver terms, this is a In Dreamweaver terms, this is a

dataset…dataset…extracted from fields from different tables, extracted from fields from different tables,

held on a remote databaseheld on a remote database» productsproducts» ordersorders» order-items in a specific orderorder-items in a specific order

stored securely in local memorystored securely in local memoryeasily extracted for screen displayeasily extracted for screen display

Displaying the Shopping CartDisplaying the Shopping Cart

A web page needs to be designed to A web page needs to be designed to display cart data from the dataset in an display cart data from the dataset in an appropriate placeappropriate place

A table design tool saves time…A table design tool saves time…rows and columns as appropriate…rows and columns as appropriate…programming code extracts and display programming code extracts and display

data in the cellsdata in the cells

Display of Shopping CalculationsDisplay of Shopping Calculations

Expectation that a shopping cart will display…Expectation that a shopping cart will display…» a line for each product – including line totala line for each product – including line total» and an order totaland an order total

For the display of line totals and order For the display of line totals and order totals…totals… calculations need to be includedcalculations need to be included cart fields needed for results of these calculationscart fields needed for results of these calculations

Creation of the cart display is then a simply a Creation of the cart display is then a simply a matter of:matter of: extracting data from a local recordset/datasetextracting data from a local recordset/dataset displaying it on the pre-formatted pagedisplaying it on the pre-formatted page

Secure storage/Retrieval of Secure storage/Retrieval of Shopping Cart DataShopping Cart Data

Sensitive and Private Data should be secureSensitive and Private Data should be secure remote storage obviously better!remote storage obviously better!

Cart data is best held locally for quick Cart data is best held locally for quick response – dilemma?response – dilemma?

CompromiseCompromise use local datasets with high level of local securityuse local datasets with high level of local security only store non-sensitive data in cart fieldsonly store non-sensitive data in cart fields

Solution: cart data held locally as a “session Solution: cart data held locally as a “session cookie”…cookie”… deleted as soon as the customer logs out…deleted as soon as the customer logs out…

Issues with Issues with Customer DataCustomer Data

Not stored with the cart but customer details Not stored with the cart but customer details capture is a crucial part of the shopping capture is a crucial part of the shopping SYSTEMSYSTEM

Private Data!!!Private Data!!! MUST (1998 Data Protection Act) be kept up to MUST (1998 Data Protection Act) be kept up to

date, stored and moved securelydate, stored and moved securely better not to store locallybetter not to store locally write directly to/from the remote, secure, databasewrite directly to/from the remote, secure, database always sent/received using secure httpalways sent/received using secure http

Essential Customer Fields Essential Customer Fields for Purchasefor Purchase

Name & address fieldsName & address fields include postcodeinclude postcode

Email addressEmail address fulfilment information & messagesfulfilment information & messages

Telephone noTelephone no in case email failsin case email fails

Shipping address fieldsShipping address fields customer may not want goods delivered to the customer may not want goods delivered to the

same address…same address…

Handling Customer DataHandling Customer Data Added by the customer to a HTML formAdded by the customer to a HTML form

extracted by put or getextracted by put or get sent securely using http-ssent securely using http-s Processed remotely on a secure server & stored Processed remotely on a secure server & stored

on a secure remote databaseon a secure remote database sensitive datasensitive data (e.g. customer’s credit card details) (e.g. customer’s credit card details)

should be sent securely to a should be sent securely to a specialist providerspecialist provider with an SSL certificatewith an SSL certificate

» can only send such data via https over a secure can only send such data via https over a secure connection to a secure serverconnection to a secure server

Under no circumstances should ANY Under no circumstances should ANY customer data be dealt with using standard customer data be dealt with using standard HTTP!HTTP!

On-line Payment SystemsOn-line Payment Systems Requires an effective & highly secure Requires an effective & highly secure

method of:method of:1.1. authentication of the userauthentication of the user2.2. authorisation of the amount required for paymentauthorisation of the amount required for payment

(has to follow authentication)(has to follow authentication) BOTH effectively achieved through an on-BOTH effectively achieved through an on-

line link to the International banking systemline link to the International banking system Usually a fee required to make this linkUsually a fee required to make this link

makes sense to do authentication & authorisation makes sense to do authentication & authorisation at the same timeat the same time

some shopping cart payment systems some shopping cart payment systems authenticate NOW, and authorise LATERauthenticate NOW, and authorise LATER

Authentication (Is the user Authentication (Is the user really who they say they are?)really who they say they are?) Will require confirmation of:Will require confirmation of:

namenametype of accounttype of accountaccount numberaccount numberother information (e.g. start date, expiry other information (e.g. start date, expiry

date, issue number), depending on the date, issue number), depending on the type of accounttype of account

Authorisation (even if they are Authorisation (even if they are that person, can they pay?)that person, can they pay?)

Just because the user has that account Just because the user has that account with those details, doesn’t mean they with those details, doesn’t mean they have the funds available to pay for the have the funds available to pay for the goods…goods…

The account needs to be checked The account needs to be checked against the invoice amount to make against the invoice amount to make sure that the account has sufficient sure that the account has sufficient funds…funds…

B2B Payment SystemsB2B Payment Systems

B2B systems usually make use of EFT B2B systems usually make use of EFT (Electronic funds Transfer)(Electronic funds Transfer)

Both buyer and seller need to contact Both buyer and seller need to contact relevant bank computer:relevant bank computer: for authentication purposesfor authentication purposes to transfer fundsto transfer funds

On-line banking system needs to be very On-line banking system needs to be very secure:secure: 512 bit encryption512 bit encryption private networks with secure gateway from the private networks with secure gateway from the

InternetInternet

B2C Payment SystemsB2C Payment Systems Payment take place through the vendors web Payment take place through the vendors web

sitesite most popular method - credit or debit cardmost popular method - credit or debit card

Relevant bank computer needs to be Relevant bank computer needs to be contactedcontacted uses The Internet to find gateway to bank networkuses The Internet to find gateway to bank network security between bank, server, and browser a security between bank, server, and browser a

major issue - use VPN & secure protocols such as major issue - use VPN & secure protocols such as SSL & http-sSSL & http-s

Once within the International Banking Network, Once within the International Banking Network, similar authentication and funds transfer systems similar authentication and funds transfer systems as for B2Bas for B2B

Security Issues with B2C Security Issues with B2C Payment SystemsPayment Systems

Data could technically be intercepted either:Data could technically be intercepted either: at the user’s browserat the user’s browser at the vendor’s serverat the vendor’s server at the gateway to the International Banking at the gateway to the International Banking

NetworkNetwork en-route between any of the aboveen-route between any of the above

Correct use of VPNs (Virtual Private Correct use of VPNs (Virtual Private Networks), with encryption and secure Networks), with encryption and secure protocols throughout make it extremely protocols throughout make it extremely unlikely that data will be intercepted en routeunlikely that data will be intercepted en route

Protection of Protection of “Data at Rest”“Data at Rest”

The Internet allows any node to be a potential The Internet allows any node to be a potential target…target… Some early systems stored credit card details on Some early systems stored credit card details on

the vendor’s serverthe vendor’s server» asking for trouble!asking for trouble!

Some concern also about the “secure servers” of Some concern also about the “secure servers” of merchant service providersmerchant service providers

» must hold e.g. credit card numbers stored in an encrypted must hold e.g. credit card numbers stored in an encrypted formatformat

Client browser only holds screen payment Client browser only holds screen payment data in computer memorydata in computer memory local hard disk would be a potential security hole…local hard disk would be a potential security hole…

Securing those Securing those Merchant ServersMerchant Servers

Server security a a matter of:Server security a a matter of: configuration and management of the server configuration and management of the server

softwaresoftware setting appropriate user privileges and file securitysetting appropriate user privileges and file security auditing of all access to confidential dataauditing of all access to confidential data appropriate monitoring of attempted entry to the appropriate monitoring of attempted entry to the

system by “invalid” userssystem by “invalid” users Probably a lot safer to have credit details held Probably a lot safer to have credit details held

here than written down by a stranger at the here than written down by a stranger at the other end of the telephone line…other end of the telephone line…

Keeping the Customer Informed!Keeping the Customer Informed! Relatively easy to produce a system to keep Relatively easy to produce a system to keep

the customer informed about their orderthe customer informed about their order Importance of taking the trouble to do this is Importance of taking the trouble to do this is

paramount, bearing in mind that customers paramount, bearing in mind that customers may be from overseasmay be from overseas

Easiest way to communicate progress with Easiest way to communicate progress with customer is to use emailcustomer is to use email

Possible to send messages when:Possible to send messages when: credit details are authenticatedcredit details are authenticated order is paid fororder is paid for order is pickedorder is picked order is dispatchedorder is dispatched

Summary of Main PointsSummary of Main Points Very good reasons for making both product Very good reasons for making both product

pages and shopping cart client-serverpages and shopping cart client-server Client-server shopping system must have a Client-server shopping system must have a

well designed database held remotelywell designed database held remotely Cart & cart fields should be held in local Cart & cart fields should be held in local

computer whilst user is logged oncomputer whilst user is logged on Customer data should be held remotelyCustomer data should be held remotely Standard shopping cart should not handle Standard shopping cart should not handle

online payment data at all, just forward it online payment data at all, just forward it securelysecurely

Good Planning for Good Planning for Shopping SystemsShopping Systems

Develop the data model (database)Develop the data model (database) Plan the shopping pagesPlan the shopping pages Identify the scripts needed to store customer Identify the scripts needed to store customer

shopping data, produce the cart and invoiceshopping data, produce the cart and invoice Plan the datasets that will be used for Plan the datasets that will be used for

temporary data storagetemporary data storage Choose an Implementation model for the data Choose an Implementation model for the data

model (e.g. IIS, asp, MDAP, Access)model (e.g. IIS, asp, MDAP, Access) Select a Payment System that works with the Select a Payment System that works with the

Implementation model chosenImplementation model chosen