Last post Sep 13, 2007 09:37 AM by pranshu
Sep 12, 2007 10:29 AMfirstname.lastname@example.org|LINK
Hello I am trying to figure out the best architecture to employ for a project similar to the google checkouts. Where lots of sites on different domains and maybe different web servers can use a shared basket. See the diagram below:
These different sites will need to display whats in the basket, plus they will need to be able to add items to it as well. I was thinking of using web services to add and retrieve the basket items from the checkout site as layed out below:
The problem is how do I identify the same user when he moves from one site to another? His session ID will change and I can't access a cookie created by a different domain. So If I stored a basket ID in a cookie for one site i wouldn't be able to pick it up
Thanks for any help
Sep 13, 2007 12:33 AM|pranshu|LINK
Cookie is the right answer. As you rightly point out - cookie is for a domain. Hence you have to do the same thing that Single Sign On engines do.
The way Single Sign on works is as follows:
Lets say you have 2 domains - a.com and b.com which will participate in SSO. Your sso server is at sso.c.com
Lets say a user visits a.com - a.com checks for a valid session, doenot find it , so redicts the user at
sso.c.com checks for a cookie it might have set before, if it doesnot see any cookie ( set by itself) - the case here as the user is visiting sso.c.com for the first time, it asks for ID/password, authenticates users and redirect the user to
now asp pages at a.com could use the session token to query the SSO server for more details about user.
Now lets say user moves to b.com - again no session so user is redirected to sso.c.com . Since user hasa cookie from sso.c.com, the user is able to authenticate! and proceed by being redirected immediately to
You need to do the same thing - i.e. the call to
www.mycheckoutsite.com must happen from user browser and not from your asp page or server.
(You could use Ajax for that) - and so it will work across domains because the cookie the browser gets from
www.mycheckoutsite.com will always be returned.
You can also return a token by redirecting browsers to lets say
www.mysite.com/addCheckoutToken.aspx?TokenId=xyz when they make the ajax call to
frames and reponse.redirects to exchange data between you site and check out site in certain cases.
Sep 13, 2007 04:56 AMemail@example.com|LINK
Right I see what you mean, I was thinking about what you said, could I do this:
User comes to a.com for the first time so has no identifier. User then clicks add to basket button, the code calls the AddProductToBasket webservice method which takes the parameters ProductID and Identifier, the identifier is pulled from the
cookie on a.com but in this instance the cookis is empty so the method is called as follows :
checkout.com's AddProductToBasket method checks to see if the Identifier passed is nothing, if so it creates one and can now create a basket. The method returns the identifier to
a.com and then it can set it in its own cookie. So the next time the user wants to add a product or view the basket contents it can pass the identifier stored in the cookie in its domain. The user doesn't need to sign on until they want to
I think this works on similar lines as you have said above, can you see any potential problems?
Sep 13, 2007 07:39 AM|pranshu|LINK
Its perfect with the picture being better than the 200 words!
I will just repeat myself and say that
2) IsIdentifierNothing() is checking a cookie which the user browser has with checkout.com domain, if the server hasnt provided one.
3) CreateIdentifier() also sets a domain cookie to the browser for checkout.co
I will mailed you the comments in a diagram offline
Sep 13, 2007 07:56 AMfirstname.lastname@example.org|LINK
just for completeness pranshus diagram:
My updated diagram:
I don't need to set a cookie on checkout.com until the user decides that he wants to checkout. Then I could pass it in a querystring like checkout.com/checkout.aspx?ID=jgsdfgdgdgjfdgjgjhg and then have it set it at that point. I will make a working model to
Sep 13, 2007 09:37 AM|pranshu|LINK
No Idea about google checkout. CAS (
http://www.ja-sig.org/products/cas/ ) the most popular open source SSO engine works this way, so does Microsoft Passport.
I am meeting a couple of Google architects next friday. Will make it a point to ask them if they know :)
Thanks for marking the post as answer.