Forum OpenACS Development: Ecommerce pkg: an alternative to session

Hi there,
What would be a substitute to ec_user_sessions?
Products need to be added in the shopping cart from another domain. (i.e. https://www.evex.co requesting to https://evex.co).

p.s. Sharing the session isn't an option.

[07/Aug/2018:23:48:48][1519.7fb1bf7fe700][-conn:evex:12:13083-] Notice: Running ad_proc ec_get_user_session_id
[07/Aug/2018:23:48:48][1519.7fb1bf7fe700][-conn:evex:12:13083-] Notice: USERSESSIONID 3136
[07/Aug/2018:23:48:48][1519.7fb1bf7fe700][-conn:evex:12:13083-] Warning: Using deprecated sequence view hack for 'ec_order_id_sequence'. Is there not real sequence?
called from template::adp_parse /var/www/evex/packages/ecommerce/www/shopping-cart-add {}
called from adp_parse_ad_conn_file
called from rp_serve_concrete_file /var/www/evex/packages/ecommerce/www/shopping-cart-add.tcl
called from rp_serve_abstract_file 0 0 .* /var/www/evex/packages/ecommerce/www/shopping-cart-add
called from rp_handler
GET https://evex.co/ecommerce/shopping-cart-add?product_id=67177&user_id=32502 referred by 'https://www.evex.co/'; peer 201.50.28.233 user_id 32502

[07/Aug/2018:23:48:48][1519.7fb1bf7fe700][-conn:evex:12:13083-] Error: nsdbpg: result status: 7 message: ERROR: insert or update on table "ec_orders" violates foreign key constraint "ec_orders_user_session_id_fkey"
DETAIL: Key (user_session_id)=(3136) is not present in table "ec_user_sessions".

[07/Aug/2018:23:48:49][1519.7fb1bf7fe700][-conn:evex:12:13083-] Error: Database operation "dml" failed (exception ERROR, "ERROR: insert or update on table "ec_orders" violates foreign key constraint "ec_orders_user_session_id_fkey"
DETAIL: Key (user_session_id)=(3136) is not present in table "ec_user_sessions".
")

ERROR: insert or update on table "ec_orders" violates foreign key constraint "ec_orders_user_session_id_fkey"
DETAIL: Key (user_session_id)=(3136) is not present in table "ec_user_sessions".

while executing
"ns_pg_bind dml nsdb0 {
insert into ec_orders
(order_id, user_session_id, order_state, in_basket_date)
select :order_id, :user_sessio..."
("uplevel" body line 1)
invoked from within
"uplevel $ulevel [list ns_pg_bind $type $db $sql]"
invoked from within
"db_exec dml $db $full_statement_name $sql"
("uplevel" body line 2)
invoked from within
"uplevel 1 $code_block "
invoked from within
"db_with_handle -dbn $dbn db {
db_exec dml $db $full_statement_name $sql
}"
(procedure "::nsf::procs::db_dml" line 99)
invoked from within
"db_dml insert_new_ec_order "
insert into ec_orders
(order_id, user_session_id, order_state, in_basket_date)
select :order_id, :user_session_id, 'in..."
("uplevel" body line 84)
invoked from within
"uplevel {
ad_page_contract {

Collapse
Posted by Benjamin Brink on
Hi Iuri,

ecommerce package had it's own session_id to show related products without requiring a user to login again, for example.

The ec_session id code mirrored much of the standard session id code in the years after 2000.

With security improvements to the standard security sessions, mirroring some of the revised session_id code into the ec_sessions_id paradigm may work.

And yet, there may be a better way of handling the ec_session_id now. Maybe it is possible to use the regular session_id. Although, maybe it is not recommended.

I don't have any suggestions. If I think of something, I will post here.

best wishes,
Ben

Collapse
Posted by Benjamin Brink on
Sorry, Iuri, I just re-read your question.

The relevant procs are:
ec_get_user_session_id
ec_create_new_session_if_necessary

If the session_id doesn't already exist, it is supposed to create one.

For some reason, the supplied session_id is not matching in the system.

Maybe there is a way to add a filter for cases referred by the first domain, and automatically force a new ec_session_id?

best wishes,
Ben

Collapse
Posted by Iuri Sampaio on
Thanks Ben, ad_procs ec_get_user_session_id and ec_create_new_session_if_necessary are within the script already. The file's /packages/ecommerce/www/shopping-cart.tcl

The feature "add-product-to-cart" works fine when I'm in the same domain.

The feature doesn't work because product's catalog is displayed on WWW while ecommerce isn't in the same domain. ( i.e. https://www.evex.co/welcome/search_items and https://evex.co/ecommerce
As expected, they won't share session, and shopping cart feature needs it in order to work well. Is that correct?

So, I'm looking for another way to make it work, without rewriting the whole CSS, HTML and JS, to display the catalog inside OACS.

1) I've tried, on NGINX, to proxy all URL requests "~/ecommerce/*" requests to www. SSL's wildcard and as both pages are under the same umbrella, i.e. the same domain and session, now they share ec_user_session_id

It worked at some point but it's definitely not a solution, and it can break acs-authentication and other pieces.

2) I also tried to add an OACS page in the middle to force user login and ec_user_session once more, but it didn't work out.

3) I wonder if a RestFul API would be a good solution. It'd be much more work. That's for sure.

Collapse
Posted by Benjamin Brink on
Hi Iuri,

In my experience this has worked without an issue. I had a static site on one domain send "add to cart" requests on another domain and there were no issues like this.

Are both sites using OpenACS? If so, is there a way to make sure that any session_id from the first site is not sent to the second. I suspect
ec_create_new_session_if_necessary is passing a session_id from the first site as a legit session_id for the second, which it should not be.

best wishes,
Ben