comp3121 e-commerce technologies richard henson university of worcester november 2010
TRANSCRIPT
COMP3121 COMP3121 E-Commerce TechnologiesE-Commerce Technologies
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
NovemberNovember 20102010
Week 7: More on Server-side Week 7: More on Server-side Shopping CartsShopping Carts
ObjectivesObjectivesDiscuss relative merits and problems of Discuss relative merits and problems of
server-side shopping cartsserver-side shopping cartsPlan and design a relational database for use Plan and design a relational database for use
in storing product and customer datain storing product and customer dataUse pre-written server behaviours with the Use pre-written server behaviours with the
VWD environmentVWD environmentIntegrate pre-written server behaviours to Integrate pre-written server behaviours to
assemble a server-side shopping cart systemassemble a server-side shopping cart system
Shopping System ProcessesShopping System Processes
Extract buying Data for item
Create product and order totals
Display online order
Extract customer details
Send relevant details to secure server
for online payment
Display online invoice including any
additional charges
Provide fulfilment information
to customer via email
Possible Data Model with Possible Data Model with entities/attributes addedentities/attributes added
Which comes first… the Which comes first… the chicken or the egg?chicken or the egg?
Which to develop first… data model or Which to develop first… data model or process model?process model?Much debate…Much debate…
Generally, it is considered to be a good Generally, it is considered to be a good idea to start with the data…idea to start with the data…That means:That means:
» identifying the ENTITIESidentifying the ENTITIES» modelling their relationshipsmodelling their relationships» Adding the ATTRIBUTESAdding the ATTRIBUTES
Possible basic data (entity) Possible basic data (entity) model for a Shopping Systemmodel for a Shopping System
customer
Order line
orderproduct
No entityrelationships shown! Where does
Shopping Cart fit?
Creating the Physical Database Creating the Physical Database from a Logical Designfrom a Logical Design
Database that can work with SQL required…Database that can work with SQL required… Popular options for small(ish) databases:Popular options for small(ish) databases:
Microsoft AccessMicrosoft Access» only Access 2000 onwards properly SQL compliantonly Access 2000 onwards properly SQL compliant
MySQLMySQL» originally shareware for Unixoriginally shareware for Unix» now available for W2Know available for W2K
Popular options for larger databases:Popular options for larger databases: SQLServerSQLServer ORACLEORACLE
Testing the Logical Design Testing the Logical Design with Physical Data…with Physical Data…
It works on paper…It works on paper… But a practical working model is needed:But a practical working model is needed:
create database tablescreate database tableslink them together, according to the Entity link them together, according to the Entity
model you createdmodel you createdpopulate the tables with trial data of an populate the tables with trial data of an
appropriate formatappropriate formatmake sure all is consistentmake sure all is consistent
Typical RAD tool “errors”…Typical RAD tool “errors”… MUCH can go wrong…!!!MUCH can go wrong…!!! Before embarking on shopping cart Before embarking on shopping cart
development…development… need to make sure all loca/remote web server settings need to make sure all loca/remote web server settings
are correctare correct screen fields and db fields must use the same formatscreen fields and db fields must use the same format
» mustn’t use “reserved words” or punctuation, inc spacesmustn’t use “reserved words” or punctuation, inc spaces users must have sufficient access rights to write to the users must have sufficient access rights to write to the
databasedatabase» this especially includes the “IIS process” userthis especially includes the “IIS process” user
major adjustments may be needed in response to a major adjustments may be needed in response to a minor change in design…minor change in design…
» TRUE OF MOST SOFTWARE DEVELOPMENT TRUE OF MOST SOFTWARE DEVELOPMENT PROJECTS…PROJECTS…
» all the more reason to get the design right…all the more reason to get the design right…
Benefits of using a RAD toolBenefits of using a RAD tool Puts a huge array of asp.net objects and Puts a huge array of asp.net objects and
behaviours at your disposalbehaviours at your disposal Provides the local, remote, and application/testing Provides the local, remote, and application/testing
server options to aid development and testingserver options to aid development and testing Helps you set up controls to support the execution Helps you set up controls to support the execution
of aspx files within the .net frameworkof aspx files within the .net framework Uses objects and behaviours to create GET and Uses objects and behaviours to create GET and
PUT HTML pages to interact with the databasePUT HTML pages to interact with the database Provides for seamless database connectivityProvides for seamless database connectivity Allows easy ftping to a remote server on the wwwAllows easy ftping to a remote server on the www
Role of Server Behaviours in Role of Server Behaviours in creating Product Pagescreating Product Pages
After the database has been After the database has been thoughtfully thoughtfully designed…designed…it needs to be physically implementedit needs to be physically implemented
Server behaviours with appropriate Server behaviours with appropriate embedded SQL are then required for:embedded SQL are then required for:picking the right data out of the remote picking the right data out of the remote
databasedatabasewriting data to the appropriate locations in writing data to the appropriate locations in
HTML pages on the local client browserHTML pages on the local client browser
Local storage of “remote” dataLocal storage of “remote” data
Asp.net supports local storage of data through Asp.net supports local storage of data through the use of the use of datasetsdatasetssimply a local copy of various data fields held on a local copy of various data fields held on
one or more data tables on the remote databaseone or more data tables on the remote database each field becomes a variable in local memoryeach field becomes a variable in local memory
The dataset fields map directly onto the fields The dataset fields map directly onto the fields in the remote databasein the remote database new data can therefore always be stored locally until new data can therefore always be stored locally until
the appropriate server command is made that writes the appropriate server command is made that writes it to the remote databaseit to the remote database
The Dataset Display The Dataset Display (one record)(one record)
As you have seen, VWD facilitates the set up As you have seen, VWD facilitates the set up of datasets & datagridsof datasets & datagrids
Can then be used to display dataset data on Can then be used to display dataset data on a HTML page, as the shopping carta HTML page, as the shopping cart a from/further control can be used to create a a from/further control can be used to create a
HTML table for displaying a single recordHTML table for displaying a single record a navigation bar object can then be added and a navigation bar object can then be added and
used to navigate to other recordsused to navigate to other records
Use of “Repeated Region”Use of “Repeated Region”
To display Multiple Records from a defined To display Multiple Records from a defined dataset, the following procedure is needed:dataset, the following procedure is needed: highlight the row where data is displayedhighlight the row where data is displayed
» data only – not column headingsdata only – not column headings
choose “Repeat Region” from the available Server choose “Repeat Region” from the available Server BehavioursBehaviours
select the number of records you wish to display select the number of records you wish to display (10 is the default)(10 is the default)
Making the Product Pages Making the Product Pages Attractive and UsableAttractive and Usable
All the principles of web page design learned All the principles of web page design learned in COMP1141, 2121, 2040, etc. should still in COMP1141, 2121, 2040, etc. should still apply:apply: use Templates and CSS if possible to give all the use Templates and CSS if possible to give all the
pages a common background layout and that same pages a common background layout and that same look and feellook and feel
also make use of VWD’s client behaviours, written also make use of VWD’s client behaviours, written in various languagesin various languages
make sure the pages load quickly by using software make sure the pages load quickly by using software such as Photo Editor or PhotoShop keeping such as Photo Editor or PhotoShop keeping graphics small, of lower resolution, or bothgraphics small, of lower resolution, or both
Encouraging Encouraging Customer InteractionCustomer Interaction
The next stage of the product pages is the The next stage of the product pages is the customer interactivity that represents buyingcustomer interactivity that represents buying
Again, server behaviours must be Again, server behaviours must be written/engineered/used to extract the data written/engineered/used to extract the data from various types of HTML forms and store from various types of HTML forms and store it:it: temporarily in the local datasetstemporarily in the local datasets permanently in the remote databasepermanently in the remote database
How to capture “buying” dataHow to capture “buying” data Needs to be triggered from the shopping pagesNeeds to be triggered from the shopping pages
hotlink that passes the product record ID to a newly created hotlink that passes the product record ID to a newly created session cookiesession cookie
» Known as THE CART…Known as THE CART… and extracts other data to the cart from the product table e.g. and extracts other data to the cart from the product table e.g.
priceprice Each new cookie needs an IDEach new cookie needs an ID
a cookie represents an order…a cookie represents an order…» orderID represents cookieIDorderID represents cookieID
each new product ordered creates an orderlineeach new product ordered creates an orderline» Each orderline needs an IDEach orderline needs an ID
In a real shopping systems, orders and orderlines are In a real shopping systems, orders and orderlines are saved to a remote databasesaved to a remote database essential for a business to keep transaction records…essential for a business to keep transaction records…
When to collect customer dataWhen to collect customer data Long standing debate amongst shopping cart Long standing debate amongst shopping cart
designers…designers… Can either:Can either:
make customers “register” when they enter the sitemake customers “register” when they enter the site Or… only make customers register when they are Or… only make customers register when they are
ready to buyready to buy The former might be better from a marketing The former might be better from a marketing
perspective (collecting “intelligence” on potential perspective (collecting “intelligence” on potential customers…)customers…) but will put some customers off even browsing the sitebut will put some customers off even browsing the site
Customer registration only when buying is Customer registration only when buying is preferable preferable IMHOIMHO
The Shopping CartThe Shopping Cart In Dreamweaver terms, this is a In Dreamweaver terms, this is a
dataset…dataset…extracted from fields from different tables, extracted from fields from different tables,
held on a remote databaseheld on a remote database» productsproducts» ordersorders» order-items in a specific orderorder-items in a specific order
stored securely in local memorystored securely in local memoryeasily extracted for screen displayeasily extracted for screen display
Displaying the Shopping CartDisplaying the Shopping Cart
A web page needs to be designed to A web page needs to be designed to display cart data from the dataset in an display cart data from the dataset in an appropriate placeappropriate place
A table design tool saves time…A table design tool saves time…rows and columns as appropriate…rows and columns as appropriate…programming code extracts and display programming code extracts and display
data in the cellsdata in the cells
Display of Shopping CalculationsDisplay of Shopping Calculations
Expectation that a shopping cart will display…Expectation that a shopping cart will display…» a line for each product – including line totala line for each product – including line total» and an order totaland an order total
For the display of line totals and order For the display of line totals and order totals…totals… calculations need to be includedcalculations need to be included cart fields needed for results of these calculationscart fields needed for results of these calculations
Creation of the cart display is then a simply a Creation of the cart display is then a simply a matter of:matter of: extracting data from a local recordset/datasetextracting data from a local recordset/dataset displaying it on the pre-formatted pagedisplaying it on the pre-formatted page
Secure storage/Retrieval of Secure storage/Retrieval of Shopping Cart DataShopping Cart Data
Sensitive and Private Data should be secureSensitive and Private Data should be secure remote storage obviously better!remote storage obviously better!
Cart data is best held locally for quick Cart data is best held locally for quick response – dilemma?response – dilemma?
CompromiseCompromise use local datasets with high level of local securityuse local datasets with high level of local security only store non-sensitive data in cart fieldsonly store non-sensitive data in cart fields
Solution: cart data held locally as a “session Solution: cart data held locally as a “session cookie”…cookie”… deleted as soon as the customer logs out…deleted as soon as the customer logs out…
Issues with Issues with Customer DataCustomer Data
Not stored with the cart but customer details Not stored with the cart but customer details capture is a crucial part of the shopping capture is a crucial part of the shopping SYSTEMSYSTEM
Private Data!!!Private Data!!! MUST (1998 Data Protection Act) be kept up to MUST (1998 Data Protection Act) be kept up to
date, stored and moved securelydate, stored and moved securely better not to store locallybetter not to store locally write directly to/from the remote, secure, databasewrite directly to/from the remote, secure, database always sent/received using secure httpalways sent/received using secure http
Essential Customer Fields Essential Customer Fields for Purchasefor Purchase
Name & address fieldsName & address fields include postcodeinclude postcode
Email addressEmail address fulfilment information & messagesfulfilment information & messages
Telephone noTelephone no in case email failsin case email fails
Shipping address fieldsShipping address fields customer may not want goods delivered to the customer may not want goods delivered to the
same address…same address…
Handling Customer DataHandling Customer Data Added by the customer to a HTML formAdded by the customer to a HTML form
extracted by put or getextracted by put or get sent securely using http-ssent securely using http-s Processed remotely on a secure server & stored Processed remotely on a secure server & stored
on a secure remote databaseon a secure remote database sensitive datasensitive data (e.g. customer’s credit card details) (e.g. customer’s credit card details)
should be sent securely to a should be sent securely to a specialist providerspecialist provider with an SSL certificatewith an SSL certificate
» can only send such data via https over a secure can only send such data via https over a secure connection to a secure serverconnection to a secure server
Under no circumstances should ANY Under no circumstances should ANY customer data be dealt with using standard customer data be dealt with using standard HTTP!HTTP!
On-line Payment SystemsOn-line Payment Systems Requires an effective & highly secure Requires an effective & highly secure
method of:method of:1.1. authentication of the userauthentication of the user2.2. authorisation of the amount required for paymentauthorisation of the amount required for payment
(has to follow authentication)(has to follow authentication) BOTH effectively achieved through an on-BOTH effectively achieved through an on-
line link to the International banking systemline link to the International banking system Usually a fee required to make this linkUsually a fee required to make this link
makes sense to do authentication & authorisation makes sense to do authentication & authorisation at the same timeat the same time
some shopping cart payment systems some shopping cart payment systems authenticate NOW, and authorise LATERauthenticate NOW, and authorise LATER
Authentication (Is the user Authentication (Is the user really who they say they are?)really who they say they are?) Will require confirmation of:Will require confirmation of:
namenametype of accounttype of accountaccount numberaccount numberother information (e.g. start date, expiry other information (e.g. start date, expiry
date, issue number), depending on the date, issue number), depending on the type of accounttype of account
Authorisation (even if they are Authorisation (even if they are that person, can they pay?)that person, can they pay?)
Just because the user has that account Just because the user has that account with those details, doesn’t mean they with those details, doesn’t mean they have the funds available to pay for the have the funds available to pay for the goods…goods…
The account needs to be checked The account needs to be checked against the invoice amount to make against the invoice amount to make sure that the account has sufficient sure that the account has sufficient funds…funds…
B2B Payment SystemsB2B Payment Systems
B2B systems usually make use of EFT B2B systems usually make use of EFT (Electronic funds Transfer)(Electronic funds Transfer)
Both buyer and seller need to contact Both buyer and seller need to contact relevant bank computer:relevant bank computer: for authentication purposesfor authentication purposes to transfer fundsto transfer funds
On-line banking system needs to be very On-line banking system needs to be very secure:secure: 512 bit encryption512 bit encryption private networks with secure gateway from the private networks with secure gateway from the
InternetInternet
B2C Payment SystemsB2C Payment Systems Payment take place through the vendors web Payment take place through the vendors web
sitesite most popular method - credit or debit cardmost popular method - credit or debit card
Relevant bank computer needs to be Relevant bank computer needs to be contactedcontacted uses The Internet to find gateway to bank networkuses The Internet to find gateway to bank network security between bank, server, and browser a security between bank, server, and browser a
major issue - use VPN & secure protocols such as major issue - use VPN & secure protocols such as SSL & http-sSSL & http-s
Once within the International Banking Network, Once within the International Banking Network, similar authentication and funds transfer systems similar authentication and funds transfer systems as for B2Bas for B2B
Security Issues with B2C Security Issues with B2C Payment SystemsPayment Systems
Data could technically be intercepted either:Data could technically be intercepted either: at the user’s browserat the user’s browser at the vendor’s serverat the vendor’s server at the gateway to the International Banking at the gateway to the International Banking
NetworkNetwork en-route between any of the aboveen-route between any of the above
Correct use of VPNs (Virtual Private Correct use of VPNs (Virtual Private Networks), with encryption and secure Networks), with encryption and secure protocols throughout make it extremely protocols throughout make it extremely unlikely that data will be intercepted en routeunlikely that data will be intercepted en route
Protection of Protection of “Data at Rest”“Data at Rest”
The Internet allows any node to be a potential The Internet allows any node to be a potential target…target… Some early systems stored credit card details on Some early systems stored credit card details on
the vendor’s serverthe vendor’s server» asking for trouble!asking for trouble!
Some concern also about the “secure servers” of Some concern also about the “secure servers” of merchant service providersmerchant service providers
» must hold e.g. credit card numbers stored in an encrypted must hold e.g. credit card numbers stored in an encrypted formatformat
Client browser only holds screen payment Client browser only holds screen payment data in computer memorydata in computer memory local hard disk would be a potential security hole…local hard disk would be a potential security hole…
Securing those Securing those Merchant ServersMerchant Servers
Server security a a matter of:Server security a a matter of: configuration and management of the server configuration and management of the server
softwaresoftware setting appropriate user privileges and file securitysetting appropriate user privileges and file security auditing of all access to confidential dataauditing of all access to confidential data appropriate monitoring of attempted entry to the appropriate monitoring of attempted entry to the
system by “invalid” userssystem by “invalid” users Probably a lot safer to have credit details held Probably a lot safer to have credit details held
here than written down by a stranger at the here than written down by a stranger at the other end of the telephone line…other end of the telephone line…
Keeping the Customer Informed!Keeping the Customer Informed! Relatively easy to produce a system to keep Relatively easy to produce a system to keep
the customer informed about their orderthe customer informed about their order Importance of taking the trouble to do this is Importance of taking the trouble to do this is
paramount, bearing in mind that customers paramount, bearing in mind that customers may be from overseasmay be from overseas
Easiest way to communicate progress with Easiest way to communicate progress with customer is to use emailcustomer is to use email
Possible to send messages when:Possible to send messages when: credit details are authenticatedcredit details are authenticated order is paid fororder is paid for order is pickedorder is picked order is dispatchedorder is dispatched
Summary of Main PointsSummary of Main Points Very good reasons for making both product Very good reasons for making both product
pages and shopping cart client-serverpages and shopping cart client-server Client-server shopping system must have a Client-server shopping system must have a
well designed database held remotelywell designed database held remotely Cart & cart fields should be held in local Cart & cart fields should be held in local
computer whilst user is logged oncomputer whilst user is logged on Customer data should be held remotelyCustomer data should be held remotely Standard shopping cart should not handle Standard shopping cart should not handle
online payment data at all, just forward it online payment data at all, just forward it securelysecurely
Good Planning for Good Planning for Shopping SystemsShopping Systems
Develop the data model (database)Develop the data model (database) Plan the shopping pagesPlan the shopping pages Identify the scripts needed to store customer Identify the scripts needed to store customer
shopping data, produce the cart and invoiceshopping data, produce the cart and invoice Plan the datasets that will be used for Plan the datasets that will be used for
temporary data storagetemporary data storage Choose an Implementation model for the data Choose an Implementation model for the data
model (e.g. IIS, asp, MDAP, Access)model (e.g. IIS, asp, MDAP, Access) Select a Payment System that works with the Select a Payment System that works with the
Implementation model chosenImplementation model chosen