3

I am creating a shopping cart and I am just using session to update the cart. But I want to set it to cookie and retrieve it for further usage... My cart session is :

$_SESSION['cart'][$pid] = array("item_id" => $pid, "quantity" => $tobesend, "price" => $price_per_q);

I want to set this whole thing into cookie. Help please. And I would like to know what is the benefit if I use web storage instead of cookie here...

Thank You..

nick
  • 333
  • 2
  • 9

3 Answers3

3

Cookies are accessed by anyone who uses the user's browser, the best thing to do is to store the cart session in the database, and only store the row ID of that database entry in a cookie. So basically:

// Store the data in the database, in whatever form you choose
$id = last_insert_id(); // Get the ID of the row in which this information is stored

// Store the id in a cookie
setcookie("cart_session_data_id", $id, time() + 3600 * 24);  /* expire in 1 day */

Now you retrieve the data from the database back into session when needed

// Get the row id from the cookie
$id = $_COOKIE['cart_session_data_id'];

// Use this ID and retrieve the data from the database

Why web storage instead of cookies?

  1. It's not wise to store sensitive data in cookies since an XSS attack can get all cookies
  2. Cookies give you a limit of 4096 bytes per domain

More Resources:

  1. http://davidwalsh.name/php-cookies
  2. http://in3.php.net/setcookie
  3. Local Storage vs Cookies
  4. Keep $_SESSION alive with autorenewing counter
Community
  • 1
  • 1
Joshua Kissoon
  • 3,269
  • 6
  • 32
  • 58
  • 2
    This is the right way to store sensitive information. +1 for storing in the database and the documentation you listed. – m79lkm Mar 07 '14 at 15:19
  • I really do not understand the sensitivity of information like id, quantity and price... Can you explain? – nick Mar 07 '14 at 15:22
  • 1
    Sensitive information (my definition) is any information you/your customer wont want any hacker getting if he hacks your customer's system. Suppose a jealous friend hacks your customer's computer, you don't want that friend to know that your customer is buying condoms, or something personal, or that he's planning to spend $x on purchases. – Joshua Kissoon Mar 07 '14 at 15:25
  • Of course if you don't think this is sensitive information and you're storing < 4mb of data, then @m79lkm solution is perfectly fine and much simpler to implement. However, I think this is sensitive info, since hackers can gain information which a customer may not have wanted to share. – Joshua Kissoon Mar 07 '14 at 15:29
  • 1
    ok. let if my jealous friend knows about the condom the customer wants to buy.. Can he do anything that can be harmful to my system or to the customer? I'm not talking about personal affairs.. I'm talking about not letting the transaction take place or damaging anything of my system? – nick Mar 07 '14 at 15:31
  • I think some IT laws also exist on using cookies (that's why some sites ask your permission or notify you), and they have a proper definition of sensitive data, but these laws are only existent in specific countries, so you can also check that up. – Joshua Kissoon Mar 07 '14 at 15:31
  • 1
    No, that person cannot harm your system from a technical perspective. From a business perspective, you consider your Customers the main component of an e-commerce system, so if the information harm your customers, then they harm your system. – Joshua Kissoon Mar 07 '14 at 15:33
1

As @Joshua Kissoon mentioned, cookies should only be used for non-sensitive information and for a small amount of data. If you need to use a cookie you can set your data in an array and serialize it:

$cart = array($pid => array("item_id" => $pid, "quantity" => $tobesend, "price" => $price_per_q));
setcookie("cart", serialize($cart));

Check for it then access it:

if (!empty($_COOKIE) && isset($_COOKIE['cart'])) {
    $cart = unserialize($_COOKIE['cart']);
    echo '<pre>';print_r($cart);echo '</pre>';
}

I would only use this for unimportant data.

m79lkm
  • 2,960
  • 1
  • 22
  • 22
  • what is important actually? Here I am storing price,quantity and product id of cart.. How can this be so important? and what can be done with these infos by attempting XSS attacks? – nick Mar 07 '14 at 15:21
  • you are the judge of that - it is important to mention any security risks when using cookies – m79lkm Mar 07 '14 at 15:22
  • 1
    I would say that important data should be 'data that needs to be secure'. – superUntitled Mar 07 '14 at 20:26
0

As Joshua points out, cookies are not the best place to store cart information. That type of information should be kept on the server. Depending on your requirements, that could be session data or a database. Storing cart information on the client does not allow any insight into cart contents. For example, if someone leaves items in the cart, you can engage them by sending reminders or adding messages to the storefront page.

To answer your question, cookies are strings, so if you want to store your cart data structure as a cookie, you need to serialize it. Refer to this earlier question for a discussion on the technical merits of serialize and json_encode.

The term "web storage" is a bit ambiguous. Are you referring to the HTML5 local storage? If so, that's probably not a good option since the data is not automatically sent to the server on each request as is done with cookies.

Community
  • 1
  • 1
Mark LaCroix
  • 43
  • 5