Freshly Baked Shopp, like most e-commerce solutions, has a customer account function. This means customers can login and make purchases without the tedium of re-entering all of their personal information every time they checkout.
Let’s imagine a customer is sitting at their home PC, or perhaps in a library or internet cafe, and they make a trip to an online store to make a purchase. As existing customers they login, buy stuff and log out. Quite naturally they would not expect the next person using the PC to be able to view their personal details[1] as entered during checkout. Thankfully, of course, they can’t – unless there is some kind of unusual problem at work.
What about the contents of their cart, though?
What if we don’t login?
Visit an online store without logging in then go ahead and add items to the cart. Now navigate away and do something else for a while (you could watch something on NetFlix). Once you return to that same online store you will typically be able to see the same items still in the cart. The data persists and that is by design.
In the case of Shopp – and not just Shopp, but that is what I am interested in today – it would seem that they have divorced that aspect from customer account logins and customer details. In other words, account logins and associated customer data, such as addresses, are quite separate from the functionality of the cart itself … and by “cart” I’m referring only to the basic mechanism that allows you to select items and keep a record of that selection, not the encompassing piece of software that also handles transactions, etc.
The rationale here is that the cart does not normally contain personally identifiable information[2]. Good idea? Not always, consider the following scenarios:
-
His wife just realized he was shopping for fluffy pink slippers
A husband wishes to purchase something special for his wife but is interrupted halfway. Rather than shutdown the browser – then she might suspect something was up – he logs out of the store, goes to chop wood, clear the drain or whatever other critical task has cropped up and assumes that because he logged out the cart would have magically emptied itself[3].
- Old Mrs Gibbons[4], an octogenarian who is only just getting used to the internet and has read all sorts of scaremongering articles about security issues, happens to return to an online store that she previously used to buy a very nice piece of knitwear. This was a great act of trust on her part so she returns to the same store and uses her account login. Following a similar pattern to the one above she decides she needs a tea break, logs out then returns 30 minutes later. This time she forgets to log back in – views the cart and boom! Suddenly it dawns on her that although she didn’t log back in she can still see the scarves and mittens she added to the cart.
Big deal or not? It depends on what the merchant is selling and most importantly the customer’s perception of what is and is not secure, regardless of whether that perception is in line with the technical reality.
What we can do, in the case of Shopp 1.2.1, is introduce a small snippet in either a standalone plugin (or just add it to your theme’s function file) like so:
function clear_session()
{
ShoppShopping()->reset();
}
add_action('shopp_logout', 'clear_session');
add_action('wp_logout', 'clear_session');Personally speaking, I would like to see a toggle that introduces this sort of behaviour from the comfort of the preferences page. In the meantime of course, for those stores that need this extra layer, we can simply workaround it.
Footnotes
- In many cases of course, such as in an internet cafe, the browser session is unlikely to persist from one customer to the next, so in that case this would (hopefully) be a moot point – it would however depend on the particular system being used in that venue.
- As Jonathan Davis of Shopp fame highlighted, this is exactly how industry giant Amazon does business. The cart contents persist within the same browser session – and this is independent of account logins and logouts. However, there will be cases where the cart contains personalized items, or items so specialized as to have that same effect, and in those cases this could clearly be undesirable.
- This particular scenario is hypothetical, it didn’t happen to me.
- Mrs Gibbons is not real.
