COMP3121 COMP3121 E-Commerce TechnologiesE-Commerce Technologies

Richard HensonRichard Henson

University of WorcesterUniversity of Worcester

NovemberNovember 20112011

Week 7: More on Server-side Week 7: More on Server-side Shopping CartsShopping Carts

ObjectivesObjectivesPlan and design a relational database for use Plan and design a relational database for use

in storing product, customer, order datain storing product, customer, order dataUse pre-written assemblies as web controls Use pre-written assemblies as web controls

for use within the VWD environmentfor use within the VWD environmentIntegrate pre-written assemblies with web Integrate pre-written assemblies with web

controls to produce a server-side shopping controls to produce a server-side shopping cart systemcart system

Possible Data Model with Possible Data Model with entities/attributes addedentities/attributes added

Possible basic data (entity) Possible basic data (entity) model for a Shopping Systemmodel for a Shopping System

customer

Order line

orderproduct

No entityrelationships shown! Where does

Shopping Cart fit?

Creating the Physical Database Creating the Physical Database from a Logical Designfrom a Logical Design

Database that can work with SQL required…Database that can work with SQL required… Popular options for small(ish) databases:Popular options for small(ish) databases:

Microsoft AccessMicrosoft Access» only Access 2000 onwards properly SQL compliantonly Access 2000 onwards properly SQL compliant

MySQLMySQL» originally shareware for Unixoriginally shareware for Unix» now available for W2Know available for W2K

Popular options for larger databases:Popular options for larger databases: SQLServerSQLServer ORACLEORACLE

Testing the Logical Design Testing the Logical Design with Physical Data…with Physical Data…

It works on paper…It works on paper… But a practical working model is needed:But a practical working model is needed:

create database tablescreate database tableslink them together, according to the Entity link them together, according to the Entity

model you createdmodel you createdpopulate the tables with trial data of an populate the tables with trial data of an

appropriate formatappropriate formatmake sure all is consistentmake sure all is consistent

Typical RAD tool “errors”…Typical RAD tool “errors”… MUCH can go wrong…!!!MUCH can go wrong…!!! Before embarking on shopping cart Before embarking on shopping cart

development…development… need to make sure all loca/remote web server settings need to make sure all loca/remote web server settings

are correctare correct screen fields and db fields must use the same formatscreen fields and db fields must use the same format

» mustn’t use “reserved words” or punctuation, inc spacesmustn’t use “reserved words” or punctuation, inc spaces users must have sufficient access rights to write to the users must have sufficient access rights to write to the

databasedatabase» this especially includes the “IIS process” userthis especially includes the “IIS process” user

major adjustments may be needed in response to a major adjustments may be needed in response to a minor change in design…minor change in design…

» TRUE OF MOST SOFTWARE DEVELOPMENT TRUE OF MOST SOFTWARE DEVELOPMENT PROJECTS…PROJECTS…

» all the more reason to get the design right…all the more reason to get the design right…

Role of Server Scripting in Role of Server Scripting in creating Product Pagescreating Product Pages

After the database has been After the database has been thoughtfully thoughtfully designed…designed…it needs to be physically implementedit needs to be physically implemented

Server behaviours with appropriate Server behaviours with appropriate embedded SQL are then required for:embedded SQL are then required for:picking the right data out of the remote picking the right data out of the remote

databasedatabasewriting data to the appropriate locations in writing data to the appropriate locations in

HTML pages on the local client browserHTML pages on the local client browser

Local storage of “remote” dataLocal storage of “remote” data Asp.net supports local storage of data through Asp.net supports local storage of data through

the use of the use of datasetsdatasetssimply a local copy of various data fields held on a local copy of various data fields held on

one or more data tables on the remote databaseone or more data tables on the remote database each field becomes a variable in local memoryeach field becomes a variable in local memory

The dataset fields map directly onto the fields The dataset fields map directly onto the fields in the remote databasein the remote database new data can therefore always be stored locally until new data can therefore always be stored locally until

the appropriate server command is made that writes the appropriate server command is made that writes it to the remote databaseit to the remote database

The Dataset Display The Dataset Display (one record)(one record)

As you have seen, VWD facilitates the set up As you have seen, VWD facilitates the set up of datasets & datagridsof datasets & datagrids

Can then be used to display dataset data on Can then be used to display dataset data on a HTML page, as the shopping carta HTML page, as the shopping cart a from/further control can be used to create a a from/further control can be used to create a

HTML table for displaying a single recordHTML table for displaying a single record a navigation bar object can then be added and a navigation bar object can then be added and

used to navigate to other recordsused to navigate to other records

Use of The Repeater Use of The Repeater with Datasetswith Datasets

To display Multiple Records from a defined To display Multiple Records from a defined dataset, a procedure is used similar to that for dataset, a procedure is used similar to that for a Repeater DataSource control, when used a Repeater DataSource control, when used with an external database:with an external database: create the tablecreate the table create “Repeater”create “Repeater” wrap <itemtemplate> round the <table>wrap <itemtemplate> round the <table> adjust <repeater…> </repeater> so it wraps adjust <repeater…> </repeater> so it wraps

around itemtemplatearound itemtemplate

Making the Product Pages Making the Product Pages Attractive and UsableAttractive and Usable

All the principles of web page design learned in All the principles of web page design learned in COMP1141, 2121, 2040, etc. should still apply:COMP1141, 2121, 2040, etc. should still apply: use master pages, and CSS to give all the pages a use master pages, and CSS to give all the pages a

common background layout and the same “look and common background layout and the same “look and feel”feel”

use client-side scripting, written in various use client-side scripting, written in various languages, to enhance user interfacelanguages, to enhance user interface

make sure the pages load quickly by using software make sure the pages load quickly by using software such as Photo Editor or PhotoShop to keep graphics such as Photo Editor or PhotoShop to keep graphics small, lower resolution, or bothsmall, lower resolution, or both

Encouraging Encouraging Customer InteractionCustomer Interaction

It is the customer interactivity that represents It is the customer interactivity that represents “buying” through the website“buying” through the website

Again, server scripts must be Again, server scripts must be written/engineered/used to extract the data written/engineered/used to extract the data from various types of HTML forms and store from various types of HTML forms and store it:it: temporarily in the local datasetstemporarily in the local datasets permanently in the remote databasepermanently in the remote database

How to capture “buying” dataHow to capture “buying” data

Data collection needs to be triggered from the Data collection needs to be triggered from the shopping pages…shopping pages… a hyperlink passes the product record ID to a newly created a hyperlink passes the product record ID to a newly created

session cookiesession cookie An associate page extracts other data from the remote An associate page extracts other data from the remote

database to the session cookie e.g. price from the product database to the session cookie e.g. price from the product table table

This session cookie is of course the dataset This session cookie is of course the dataset for the shopping cart data…for the shopping cart data… but it needs to be carefully defined…but it needs to be carefully defined…

More about the Cart DatasetMore about the Cart Dataset Each new cookie needs an IDEach new cookie needs an ID

a cookie represents an order…a cookie represents an order…» orderID therefore represents cookieIDorderID therefore represents cookieID

a cookie record is created for each new product a cookie record is created for each new product orderedordered» this represents an orderline…this represents an orderline…» each orderline needs an IDeach orderline needs an ID» orderlineID therefore equivalent to cookie orderlineID therefore equivalent to cookie

record IDrecord ID Essential for a business to keep records of Essential for a business to keep records of

transactions i.e. orders…transactions i.e. orders… final cookie contents therefore saved to a remote databasefinal cookie contents therefore saved to a remote database

Using the Cart DatasetUsing the Cart Dataset The AddfromDb control extracts data The AddfromDb control extracts data

from fields from products table, held on from fields from products table, held on a remote databasea remote databasestored as a cart recordstored as a cart recordstored securely in local memorystored securely in local memory

Data generated by the cart can also Data generated by the cart can also relate to essential data for orders and relate to essential data for orders and order-items table, managed by a order-items table, managed by a different control, WritetoDBdifferent control, WritetoDB

More about “The Cart”More about “The Cart” Needs to be designed to carry a number Needs to be designed to carry a number

of parameters and settings of parameters and settingsthe WebXelCart assembly pre-defines the the WebXelCart assembly pre-defines the

variables to store these settingsvariables to store these settingsvalues need to be added to the cart control values need to be added to the cart control

via the control “properties” or source codevia the control “properties” or source codeData easily extracted from the cart Data easily extracted from the cart

using <%# Eval… %> to create the using <%# Eval… %> to create the screen displayscreen display

Displaying the Shopping CartDisplaying the Shopping Cart

A web page needs to be designed to A web page needs to be designed to display cart data from the dataset in an display cart data from the dataset in an appropriate placeappropriate place

A table design tool saves time…A table design tool saves time…rows and columns as appropriate…rows and columns as appropriate…<%# Eval etc. as appropriate in the cells<%# Eval etc. as appropriate in the cells

Display of Shopping CalculationsDisplay of Shopping Calculations

Expectation that a shopping cart will display…Expectation that a shopping cart will display… a line for each product – including line totala line for each product – including line total an order totalan order total

For the display of line totals and order For the display of line totals and order totals…totals… calculations need to be includedcalculations need to be included cart fields needed for results of these calculationscart fields needed for results of these calculations

Creation of the cart display is then a simply a Creation of the cart display is then a simply a matter of:matter of: extracting data from the local datasetextracting data from the local dataset displaying it on the pre-formatted pagedisplaying it on the pre-formatted page

Secure Storage/Retrieval of Secure Storage/Retrieval of Shopping Cart DataShopping Cart Data

Sensitive and Private Data should be secureSensitive and Private Data should be secure remote storage obviously better!remote storage obviously better!

Cart data is best held locally for quick Cart data is best held locally for quick response – dilemma?response – dilemma?

CompromiseCompromise use local datasets with best options for local use local datasets with best options for local

securitysecurity only store non-sensitive data in cart fieldsonly store non-sensitive data in cart fields no customer data in the cart…no customer data in the cart… dataset deleted as soon as the customer logs out…dataset deleted as soon as the customer logs out…

When to collect customer dataWhen to collect customer data Long standing debate amongst shopping cart Long standing debate amongst shopping cart

designers…designers… Can either:Can either:

make customers “register” when they enter the sitemake customers “register” when they enter the site Or… only make customers register when they are Or… only make customers register when they are

ready to buyready to buy The former might be better from a marketing The former might be better from a marketing

perspective (collecting “intelligence” on potential perspective (collecting “intelligence” on potential customers…)customers…) but will put some customers off even browsing the sitebut will put some customers off even browsing the site

Customer registration only when buying is Customer registration only when buying is preferable (preferable (IMHO…)IMHO…)

Issues with Issues with Customer DataCustomer Data

Not stored with the cart but customer details Not stored with the cart but customer details capture is a crucial part of the shopping capture is a crucial part of the shopping SYSTEMSYSTEM

Private Data!!!Private Data!!! MUST (1998 Data Protection Act) be kept up to MUST (1998 Data Protection Act) be kept up to

date, stored and moved securelydate, stored and moved securely better not to store locallybetter not to store locally write directly to/from the remote, secure, databasewrite directly to/from the remote, secure, database always sent/received using secure httpalways sent/received using secure http

Essential Customer Fields Essential Customer Fields for Purchasefor Purchase

Name & address fieldsName & address fields include postcodeinclude postcode

Email addressEmail address fulfilment information & messagesfulfilment information & messages

Telephone noTelephone no in case email failsin case email fails

Shipping address fieldsShipping address fields customer may not want goods customer may not want goods

delivered to the same address…delivered to the same address…

Handling Customer DataHandling Customer Data Added by the customer to a HTML formAdded by the customer to a HTML form

extracted by put or getextracted by put or get sent securely using http-ssent securely using http-s Processed remotely on a secure server & stored Processed remotely on a secure server & stored

on a secure remote databaseon a secure remote database sensitive datasensitive data (e.g. customer’s credit card details) (e.g. customer’s credit card details)

should be sent securely to a should be sent securely to a specialist providerspecialist provider with an SSL certificatewith an SSL certificate

» can only send such data via https over a secure can only send such data via https over a secure connection to a secure serverconnection to a secure server

Under no circumstances should personal or Under no circumstances should personal or sensitive customer data be dealt with using sensitive customer data be dealt with using standard HTTP!standard HTTP!

On-line Payment SystemsOn-line Payment Systems Requires an effective & highly secure Requires an effective & highly secure

method of:method of:1.1. authentication of the userauthentication of the user2.2. authorisation of the amount required for paymentauthorisation of the amount required for payment

(has to follow authentication)(has to follow authentication) BOTH effectively achieved through an on-BOTH effectively achieved through an on-

line link to the International banking systemline link to the International banking system Usually a fee required to make this linkUsually a fee required to make this link

makes sense to do authentication & authorisation makes sense to do authentication & authorisation at the same timeat the same time

some shopping cart payment systems some shopping cart payment systems authenticate NOW, and authorise LATERauthenticate NOW, and authorise LATER

Authentication (Is the user Authentication (Is the user really who they say they are?)really who they say they are?) Will require confirmation of:Will require confirmation of:

namenametype of accounttype of accountaccount numberaccount numberother information (e.g. start date, expiry other information (e.g. start date, expiry

date, issue number), depending on the date, issue number), depending on the type of accounttype of account

Authorisation (even if they are Authorisation (even if they are that person, can they pay?)that person, can they pay?)

Just because the user has that account with Just because the user has that account with those details, doesn’t mean they have the those details, doesn’t mean they have the funds available to pay for the goods…funds available to pay for the goods…

The account needs to be checked against the The account needs to be checked against the invoice amount to make sure that the account invoice amount to make sure that the account has sufficient funds…has sufficient funds…

B2B Payment SystemsB2B Payment Systems

Usually make use of EFT (Electronic funds Usually make use of EFT (Electronic funds Transfer)Transfer)

Both buyer and seller need to contact Both buyer and seller need to contact relevant bank computer:relevant bank computer: for authentication purposesfor authentication purposes to transfer fundsto transfer funds

On-line banking system needs to be very On-line banking system needs to be very secure:secure: 512 bit encryption512 bit encryption private networks with secure gateway from the private networks with secure gateway from the

InternetInternet

B2C Payment SystemsB2C Payment Systems Payment take place through the vendors web Payment take place through the vendors web

sitesite most popular method - credit or debit cardmost popular method - credit or debit card

Relevant bank computer needs to be Relevant bank computer needs to be contactedcontacted uses The Internet to find gateway to bank networkuses The Internet to find gateway to bank network security between bank, server, and browser a security between bank, server, and browser a

major issue - use VPN & secure protocols such as major issue - use VPN & secure protocols such as SSL & http-sSSL & http-s

Once within the International Banking Network, Once within the International Banking Network, similar authentication and funds transfer systems similar authentication and funds transfer systems as for B2Bas for B2B

Security Issues with B2C Security Issues with B2C Payment SystemsPayment Systems

Data could technically be intercepted either:Data could technically be intercepted either: at the user’s browserat the user’s browser at the vendor’s serverat the vendor’s server at the gateway to the International Banking at the gateway to the International Banking

NetworkNetwork en-route between any of the aboveen-route between any of the above

Correct use of VPNs (Virtual Private Correct use of VPNs (Virtual Private Networks), with encryption and secure Networks), with encryption and secure protocols throughout make it extremely protocols throughout make it extremely unlikely that data will be intercepted en routeunlikely that data will be intercepted en route

Protection of Protection of “Data at Rest”“Data at Rest”

No sensitive or personal data on the clientNo sensitive or personal data on the client What about the server? The Internet allows What about the server? The Internet allows

any node to be a potential target…any node to be a potential target… some early systems stored credit card details on some early systems stored credit card details on

the vendor’s serverthe vendor’s server» without encryption!without encryption!» asking for trouble!asking for trouble!

Some concern also about the “secure servers” of Some concern also about the “secure servers” of merchant service providersmerchant service providers

» must hold e.g. credit card numbers must hold e.g. credit card numbers » may be protected by VPN but data still stored in an may be protected by VPN but data still stored in an

encrypted formatencrypted format

Securing those Securing those Merchant ServersMerchant Servers

Server security a a matter of:Server security a a matter of: configuration and management of the server configuration and management of the server

softwaresoftware setting appropriate user privileges and file securitysetting appropriate user privileges and file security auditing of all access to confidential dataauditing of all access to confidential data appropriate monitoring of attempted entry to the appropriate monitoring of attempted entry to the

system by “invalid” userssystem by “invalid” users Probably a lot safer to have credit details held Probably a lot safer to have credit details held

here than written down by a stranger at the here than written down by a stranger at the other end of the telephone line…other end of the telephone line…

Keeping the Customer Keeping the Customer Informed!Informed!

By email! Relatively easy to set upBy email! Relatively easy to set up of paramount importance, bearing in mind that of paramount importance, bearing in mind that

customers may be from overseascustomers may be from overseas Opportunities to send messages when:Opportunities to send messages when:

credit details are authenticatedcredit details are authenticated order is paid fororder is paid for order is pickedorder is picked order is dispatchedorder is dispatched

Summary of Main PointsSummary of Main Points

Client-server shopping system must have a Client-server shopping system must have a well designed database held remotelywell designed database held remotely

Cart & cart fields should be held in local Cart & cart fields should be held in local computer whilst user is logged oncomputer whilst user is logged on

Customer data should be held remotelyCustomer data should be held remotely Standard shopping cart should not handle Standard shopping cart should not handle

online payment data at all, just forward it online payment data at all, just forward it securelysecurely

Good Planning for Good Planning for Shopping SystemsShopping Systems

Develop the data model (database)Develop the data model (database) Plan the shopping pagesPlan the shopping pages Identify the scripts needed to store customer Identify the scripts needed to store customer

shopping data, produce the cart and invoiceshopping data, produce the cart and invoice Plan the datasets that will be used for Plan the datasets that will be used for

temporary data storagetemporary data storage Choose an Implementation model to interface Choose an Implementation model to interface

with the data model (e.g. IIS, asp.net/c#, with the data model (e.g. IIS, asp.net/c#, MDAP, Access)MDAP, Access)

Select a Payment System that works with the Select a Payment System that works with the Implementation model chosenImplementation model chosen

Thanks for listening…Thanks for listening…