Web Site Support for Shopper-Centric Security

Web Site Support for Shopper-Centric Security

The Commerce Server Retail Solution Site contains a folder named login that is dedicated to pages related to user registration and login. It contains the files _guest.asp, login.asp, logout.asp, and newuser.asp.

Many Web sites have a "Forgot your password?" link on their login page. There is no functionality built into the Solution Site to provide shoppers with a mechanism for dealing with forgotten passwords. Rather, this is one of those features that have been left for individual site developers to implement as they see fit for their retail Web site.

Regarding the use of secure HTTP (URLs beginning with https://) for particular pages within the Solution Sites, a mechanism exists through which site developers can easily make any page secure in this regard. It is simple a matter of adding (or removing) a line to the routine GetSecurePagesDictionary in the file include\global_siteconfig_lib.asp for each new page that should use secure HTTP (or should not use secure HTTP). In general, due to performance considerations, secure HTTP should only be used where necessary.

In the ASP.NET-based International Retail Site, included in the Commerce Server 2002 SDK, the equivalent functionality for specifying which pages must be accessed using secure HTTP is performed in the configuration file web.config. The DocumentSecurity element within the CommerceServerSite element contains a list of Document elements. Each Document element specifies a Web page using the name attribute and has a privacy attribute that is set to "true" to indicate the requirement for secure HTTP access to the indicated page.