[Pdx-pm] Shopping Cart Logic

Ovid poec at yahoo.com
Fri Mar 7 11:34:10 CST 2003

--- Carl Scripter <carl at scripter.com> wrote:
> If you are absolutely against stale records in the database, keep all the 
> cart information in a cookie -- at least there's a /good/ chance the user 
> sees them again.

With all due respect, you don't want to do that.  A cookie should *typically* be an apparently
random piece of data (a session) that ties the external user-agent to an internal record.  Yes,
maybe storing a bit of data such as "the user wants this stylesheet" in a cookie is okay for a
small site, but if you're doing anything serious, you shouldn't be abusing cookies.  Limitations
of cookies:  

* 300 total cookies
* 4 kilobytes per cookie, where the name and the OPAQUE_STRING combine to form the 4 kilobyte
* 20 cookies per server or domain. (note that completely specified hosts and domains are treated
as separate entities and have a 20 cookie limitation for each, not combined)

While not all user agents obey this, it's what the server should assume.  Thus, if you store
important info (such as the shopping cart) in the cookie, it gets removed once your prolific
surfer racks up another 300 cookies.  Further, if they had a long shopping cart list, no matter
how good your compression algorithm, you could exceed that limit (and then the cookie gets
truncated and your data could be corrupted).  Finally, when Web developers get in the habit of
storing important information in a cookie, they often store information in that cookie that
*should not be changed* (such as prices).  Then they have to go to the trouble of creating an MD5
digest (or similar mechanism) to verify the integrity of the cookie, but in reality that doesn't

In other words, using cookies inappropriately is a constant source of bugs.  As there are readily
available session mechanisms available, why not avail yourself of them?  The applications will be
more professional, you will discover that you have greater flexibility in how you interact with a
client and, most importantly, you will less dependent on the user agent behavior!

Side note:  never rely on the 'expires' attribute to time out a cookie.  If the computer's clock
is wrong, you could be very upset.  Just set the cookie with a session ID and check the time
against the session information cached on the server.  (I seem to recall someone alluding to
something like that, so I thought I would toss this out there.)


"Ovid" on http://www.perlmonks.org/
Web Programming with Perl:  http://users.easystreet.com/ovid/cgi_course/
Silence Is Evil: http://users.easystreet.com/ovid/philosophy/decency.txt

Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more

More information about the Pdx-pm-list mailing list