_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1  Wiley and the book authors, 2001 E-Commerce: Fundamentals and Applications Chapter 6 : Server-Side Programming III Session Tracking

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications2  Wiley and the book authors, 2001 Outline What is session tracking in Web applications Traditional session tracking techniques  Hidden form field  URL rewriting  HTTP user authorization  Cookies

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications3  Wiley and the book authors, 2001 A realistic case in session tracking: shopping in VBS To implement a simple virtual store such as the e-pizza ordering store as shown in Fig. 6.1, users are usually provided with an electronic form (e-form) to fill in the order. After submitting the form to the server, the order can then be processed accordingly. The above approach is fine for a "simple e-retail business", which carries a small number of products. However, for large e-retail businesses, it is impractical to put all the products into a single e-form.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications4  Wiley and the book authors, 2001 Pizza Order Scenario Using the e-Form Mechanism (Fig. 6.1)

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications5  Wiley and the book authors, 2001 A realistic case in session tracking: shopping in VBS (cont.) Let us look at the "physical" shopping scenario, for example shopping in a supermarket. The shopping process is as follows:  enter the supermarket;  get a shopping cart;  walk around the store;  choose the goods and put them into the shopping cart; and  finally check out at the cashier's counter. To emulate the above shopping process in the cyber world, we need to implement a shopping cart.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications6  Wiley and the book authors, 2001 A realistic case in session tracking: shopping in VBS (cont.) To implement shopping cart object, there are two issues to be resolved:  The first one is how to assign and map a“shopping cart” to a user. Note that in most B2C e-commerce system, a user does not need to log into the system before shopping.  The second issue is how to keep track of the shopping cart and its content. Example:  During an e-shopping situation, we may access the VBS, get a shopping cart and then browse another Web site for a while before returning to the VBS again.  The challenge is how can we "get back" the previous shopping cart to continue shopping instead of restarting from the beginning? The solution is Session Tracking.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications7  Wiley and the book authors, 2001 Traditional session tracking techniques To support session tracking for Web-based applications, a number of techniques have been developed. The most common ones are:  Hidden form field;  URL rewriting;  HTTP user authorization;  Cookies.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications8  Wiley and the book authors, 2001 Hidden Form Field (HFF) - A Perspective As part of the HTML standard, "Hidden Form Field" provides a simple solution to session tracking. In the Advance Book Search (Chap 5), hidden form field technique have be used as follows:  First, the user browses the "Advanced Book Search" Web page, which provides an interface for the user to fill in the search criteria  After submitting the form to the VBS Web server, the corresponding servlet is launched by parsing the search criterion and executes the SQL statement.  Once the search result is obtained, the program formats the information using the HTML and returns it to the user  If the search result consists of multiple pages, some page pointers are presented for the user to go to the desired page.  The program uses the hidden form field to return the search criteria together with the previous ISBN of the book being displayed. Hence the books can be displayed accordingly.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications9  Wiley and the book authors, 2001 Hidden Form Field for shopping cart To implement a shopping cart using the "Hidden Form Field", we can define a hidden field element called "username" in an HTML form. This can be used to keep track of the user session and hence the shopping cart. ….

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications10  Wiley and the book authors, 2001 Simple book ordering using HFF We use a simple example to demonstrate how to implement a “Simple Book Store” using the "Hidden Form Field" for session tracking. The system flow of this "Simple Book Store" is shown in Figure 6.2. The simple bookstore consists of FOUR major modules as follows  Bookorder.html – This is the home page or "front-door" of the whole system.  DisplayorderHFF - This servlet program is used to display the selected book(s).  ShoppingHFF – This servlet program allows users to continue shopping by 1) consolidating the previous book selection; and 2) displaying the book list again for selection.  Check out – This allows the user to “check out”.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications11  Wiley and the book authors, 2001 System Flow Diagram for Simple Bookstore Using HFF (Fig. 6.2) Check Out Bookorder.html Displayorder HFF Shopping HFF book book +sbook

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications12  Wiley and the book authors, 2001 Simple book ordering using HFF (cont.) As shown in Fig. 6.3, the Bookorder.html file provides the "main entry" for the whole system. The HTML page consists of a simple book list and three buttons. A user can either:  click "Clear" button to reset the book selection;  click "Put to Cart" button to "put" the selected item(s) into the shopping cart; or  click "Check out" button to exit. Note that no matter which button is selected, the request is handled by the same server-side program. The parameter value of the "submit" button is used to identify the action required.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications13  Wiley and the book authors, 2001 Pros & Cons of using Hidden Form Fields Pros:  The major advantage of using the "Hidden Form Field" is its simplicity.  As part of the HTML standard, it is supported by all browsers and therefore it can be easily implemented in all the major Web programming environments such as CGI programming, servlet programming, etc. Cons:  However if we want to keep track of a lot of information, passing information using hidden form fields may be clumsy from the implementation point of view.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications14  Wiley and the book authors, 2001 URL Rewriting There are two commonly used methods to identify a session using URL rewriting: Method (1) To add an extra directory path to the original URL Method (2) To add additional parameters at the end of the URL E.g. Suppose that the original URL is  A user with session identity 007 will access the URL as  Using method (1) - Not supported in PHP  Note: each user is assigned a different directory path so that the Web server can identify the client accordingly.  Using method (2) Note: In this case, the program knows that the request is from the session with ID of 007.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications15  Wiley and the book authors, 2001 URL Rewriting - Pros & Cons Pros:  URL Rewriting provides an easy-to-implement solution to session tracking. Cons:  The "Adding an Extra Path" method may not work well for complex applications and the "Adding an Extra Parameter" method can only be used with the "GET" command, but not the "POST" command.  As the POST command is often used in HTML forms, it applicability is quite limited.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications16  Wiley and the book authors, 2001 HTTP user authorization What is HTTP user authorization?  This method supports session tracking by means of the HTTP "User Authorization" response header. Authentication is done by asking the user to provide his username and password. How can User Authorization be done for session tracking? Example:  The Web server is configured to use the WWW authentication scheme.  When a user accesses the Web server for the first time, he needs to fill in the username and password for authentication  The information is then passed to the Web server for authentication.  Once the Web server identifies the user, appropriate actions can be taken for that user.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications17  Wiley and the book authors, 2001 Sample Page for a Web Site that Needs User Authorization (Fig. 6.8)

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications18  Wiley and the book authors, 2001 HTTP user authorization: Pros & Cons Pros:  The major advantage of using User Authorization is that it is a "standard" feature of the HTTP so it is supported by all Web servers.  It can be implemented easily.  In fact, User Authorization is still commonly used in many contemporary Web systems, especially in Intranets. Cons:  Users must be pre-registered with the Web server. Therefore it may not be suitable for B2C e-commerce system because the customers may not have any relationship with the company.  Simultaneous login cannot be supported. In other words, a user cannot establish more than one session with the same site.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications19  Wiley and the book authors, 2001 Session tracking using Cookies In summary, cookies are "tiny" pieces of information stored in the client browser. In an e-shopping scenario, one can use cookies for session tracking as follows:  When a user accesses a B2C Web site for the first time, the Web server asks for the user information (e.g. username). Then the Web server can ask the client browser to "store" a cookie by including this cookie in the HTTP response header. For example, Set-Cookie: Username=ray The cookie with Username=ray is then stored in the client browser for later use.  Each time the user returns to the Web site, the client browser will send this cookie in the HTTP request message. Hence the cookie can be used for session tracking purpose.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications20  Wiley and the book authors, 2001 Using Cookies: Pros & Cons Pros:  Cookies are the most commonly used method for supporting session tracking.  They are easy to implement as most server-side programming tools provide API for managing cookies.  Cookies are supported by nearly all browsers. In fact, the use of cookies is standardized in RFC Cons  A cookie can only store a limited amount of information.  There are security concerns in using cookies because it involves saving something on the client side.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications21  Wiley and the book authors, 2001 Servlet session tracking Java servlet API provides a set of classes, namely the Session Tracking API, to handle session tracking. The advantages of using this API are as follows:  It can be used in any servlet program with little additional programming effort.  Similar to Cookies  Stored in memory of client computer

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications22  Wiley and the book authors, 2001 Session tracking: How does it work? Let us look at how session tracking can be applied for our store as follows:  When a user visits the store for the first time, the servlet engine will automatically assign a session ID to the user. The session ID is passed to the user using the “Set-Cookie” command such as Set-cookie: Session id=  Once the client’s browser gets this cookie, the cookie and hence the session ID will be stored.  Whenever the user returns to the store, the client browser sends this cookie (i.e. the session ID) to the Web server.  By identifying the session ID, the corresponding shopping cart can be retrieved for shopping.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications23  Wiley and the book authors, 2001 System Flow of SessionDemo program (Fig. 6.10)