[ic] displaying a users basket to an external script

Kevin Walsh interchange-users@icdevgroup.org
Sun Oct 20 11:10:01 2002


John Allman [allmanj@houseofireland.com] wrote:
> 
> Hi - i need to be able to show the contents of a users basket to a script that is called from another website. The idea 
> is that users ariving on this "portal" website will be able to shop on our site among others. our site will be loaded in 
> a frame and a paramater will be passed to us via a http GET to identify that the user is browsing from this portal site. 
> when the user reaches the checkout our site will call a script on the portal site which will in turn call a script on our 
> site to display the basket in a specified xml format for them to parse.
> 
> The issue then is identifying the correct basket and doing it in as secure a manner as possible. The way that springs to 
> mind is to use the session id to identify the correct basket. we could then pass the session id to their script and when 
> they passed it back to us we could display the correct basket.
> 
> Now my understanding of how interchange handles sessions is poor at best. i believe it either maintains the session by 
> appending an id string to each URL or by cookies. Could i use this id string to load up the same session from another ip 
> address (the portal site in this case)? Can i get this string by using [read-cookie]? ie is the string stored in the 
> cookie the same as the id string appended to the URL?
> 
> I read this post: http://www.icdevgroup.org/pipermail/interchange-users/2000-October/001375.html which seems to be along 
> the same lines as what i'm trying to do but it doesn't go into the details of handling the session.
> 
> Is what i'm suggestion a bad way to do things? If so - what might be a good idea? If not - how would i actually go about 
> implementing it? Am i working along the right lines now?
> 
You may want to take a look into implementing the cXML standard on
your site.

In a cXML PunchOut operation, the site sends a 'purchase order' to
the portal upon checkout, rather than the portal requesting it from
the site.  This is a lot better than opening your site up to allow
arbitrary external applications to query the purchase data held on
your site.

>
> when the user reaches the checkout our site will call a script on the
> portal site which will in turn call a script on our site to display
> the basket in a specified xml format for them to parse.
>
cXML does that in one hit - passing all the required information to
the portal, without any need for a callback.

If you really wanted to use the callback method then you'd have to
save the order information into the database and pass some form of
unique key to the portal.  The portal would then call a specific page,
passing the key. Your lookup page would then format and return the data.
You'll need to carefully consider the security implications and only
ever use HTTPS+POST to pass the key and order information around.

-- 
   _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
  _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l s h
 _/ _/    _/          _/ _/     _/    _/  _/_/    kevin@cursor.biz
_/   _/  _/_/_/_/      _/    _/_/_/  _/    _/