[ic] Retain shopping cart after browser restart

Thu Dec 3 14:12:21 UTC 2015

Quoting Grant (emailgrant at gmail.com):
> >> >>> I noticed that Interchange loses the session once the browser is closed
> >> >>> and re-opened.  Is there a way to make it persistent so that the shopping
> >> >>> cart contents are retained like Amazon?
> >> >>
> >> >>
> >> >> It looks like I may be out of luck as far as keeping sessions persistent:
> >> >>
> >> >>
> >> >> http://www.icdevgroup.org/pipermail/interchange-users/2011-January/052595.html
> >> >>
> >> >> If so, is there a preferred method of retaining shopping cart contents in
> >> >> the same browser across sessions without requiring the user to log in?  If
> >> >> there is not, should I simply use set-cookie to save the current cart
> >> >> contents at every page load and read-cookie whenever creating a new session?
> >> >
> >> >
> >> > In that email from Mike that you pointed to, he pointed at how to do it
> >> > (while also explaining why it's not the default).
> >> >
> >> > You need to set an expiration date on the MV_SESSION_ID cookie so it will
> >> > persist after the browser is closed.
> >> >
> >> > You can do this by setting a GlobalSub in your interchange.cfg like this (to
> >> > make the cookie last 1 week, for example):
> >> >
> >> > GlobalSub <<EOR
> >> > sub set_cookie_expire {
> >> >     $Vend::Expire = Vend::Config::time_to_seconds('1 week') + time();
> >> >     return 1;
> >> > }
> >> > EOR
> >> >
> >> > And then running it on every page load by setting an Autoload in your
> >> > catalog.cfg like this:
> >> >
> >> > Autoload set_cookie_expire
> >>
> >>
> >> Hi Jon, thank you for the code.  I noticed that comment from Mike but
> >> he referenced a related security issue which scared me off.  Do you
> >> know what he was refering too?
> >
> > I think it's just that session cookies are supposed to expire at the end
> > of the session, so it's counter-intuitive to keep them around longer.
> > I'm not sure of security ramifications, but since it's not a login
> > cookie, if it stays around after browser close, then any user data
> > (collected during an order or order attempt) would be in there. This is
> > a problem on public computers -- you can't "logout" of a session...
> >
> > I have just released cart-cookie support, which provides for saving cart
> > info between sessions, when using the same browser:
> > https://github.com/jdigory/interchange-extras/tree/master/cart-cookie
> >
> > It may be a more ideal solution to your problem than keeping session
> > cookies around.
> 
> 
> Very nice. If I decide to set the expiration time of session cookies,
> I can't think of anywhere a user's entered data is displayed in a
> session besides on the checkout form. If I prevent that, is their data
> still potentially readable somehow?

Anywhere else you use [value fname] etc, or if you have a dump.html
page.

But why would you prevent reading the session on checkout page? That is
a feature -- so when someone enters their name/address once, it is
remembered the next time in their session that they return to the page.

-- 
Josh Lavin
End Point Corporation