Web Store Sessions

This topic applies to

Applies to

SuiteCommerce Web Stores

 

SuiteCommerce leverages two unique server environments, or domains, to support the eCommerce web store experience and maintain information related to current session:

  • Unsecured HTTP Shopping Domain: supports the non-secure content and pages of the Shopping experience and related services.

  • Secure HTTPS Checkout Domain: supports the secure content and pages of the Checkout and My Account experiences.

Both environments are deeply integrated into NetSuite and don't explicitly know the state or session information of each other. To achieve a seamless customer experience between the secure and unsecured domains, tokens and linkable attributes are passed between the two server environments via URL parameters and are stored as cookies to maintain the transferred state over time on each domain. This is commonly referred to as Domain Bridging.

Note

NetSuite never sends credentials such as user names and passwords from an unsecured HTTP domain and always uses the secure HTTPS domain for authentication.


Session Management

SuiteCommerce uses a combination of entities and roles to manage session information on and across domains.

Definitions:

  • Entity: An entity is the identifier for a specific NetSuite user. An entity is typically of the type Customer, but can be other types including Vendor or Employee.

  • Roles: A role is a defined access configuration within NetSuite. Roles are assigned to users and include sets of permissions for viewing and editing data. The Roles and associated permissions determine the pages that users can see and the tasks that they can complete.

  • Session: A session is defined by the server environment to keep track of state associated with the current user experience within NetSuite. A session knows both the EntityID and the Role associated with the current user.

Roles

There are two NetSuite roles used in the context of web stores:

Shopper Role

A Shopper role indicates a user who is not authenticated and does not have a customer role. Anytime a user visits a website, that user's session is assigned a Shopper role by default when no other role has been established by a prior login in this session.

A Shopper role is a role in NetSuite that has no write permissions and read-only permissions to limited record types in the account, such as items. With a Shopper role, users cannot take any action that would create a new record, other than registering as a customer.

Note

As a direct result of how the Shopper role is used in SuiteCommerce web stores, some functionality is not currently supported. For example, we currently do not support the newsletter functionality in SuiteCommerce web stores since a user with a Shopper role cannot directly create a new lead record.


Customer Center Role

The Customer Center role provides elevated permissions to records, such as transactions, that are required to create the Checkout and My Account experiences. This role can be customized to adjust the level of access. For example, you can remove links to transactions or records or limit access to only viewing instead of editing or creating records.

Session States

A Session State indicates the degree of authentication that the server understands about the current user. A Session State is managed throughout the life of the user's session and is determined by the combination of entity and role awareness.

SuiteCommerce web stores support three overall states:

  • Anonymous State - A session is considered anonymous when the web store knows nothing about the user. The user does not have an EntityID defined. The anonymous session state typically occurs when someone comes to the site for the very first time, but can also occur after a customer has signed out. Anonymous users have full access to the unsecured HTTP Shopping domain. For example, EntityID: 0 AND Role: Shopper . Anonymous users can also have limited access to the secure HTTPS Checkout and My Account domains to access the ability to log in.

  • Authenticated State - A user is considered authenticated when the user has a session that has been logged in. A logged in session means that the server environment knows both the EntityID of the user and the associated Role. For example, EntityID: 1234 AND Role: Customer Center.

  • Recognized State - A user is considered recognized when the server environment knows the user’s EntityID but that user does not have a valid session. For example, the user's role is Shopper instead of Customer Center. The recognized session state typically occurs when a customer who has logged in before returns to the site to shop again at a later time. EntityID: 1234 AND Role: Shopper.

State

EntityID

Role

Degree of authentication

Authenticated

1234

Customer Center

User is currently logged in

Recognized

1234

Shopper

User has logged in sometime in the past

Anonymous

0

Shopper

User is unknown, likely a first-time visit

IMPOSSIBLE

0

Customer Center

Authentication cannot occur

Sign In

If an anonymous user tries to access the secure HTTPS Checkout or My Account domains, they are required to log in or create an account, and see only a login page. If an anonymous user signs in or creates an account on the secure HTTPS domain, their role is elevated from the Shopper Role to the Customer Center Role and an Entity ID is assigned. However, this is only for the secure HTTPS domain. After a login on the secure domain, the user's role and entity state has not yet changed on the unsecured HTTP domain. For the unsecured domain to be in sync, the user needs to navigate back to the unsecured domain, and through the link pass the appropriate information to sync the other session's information. After the unsecured domain is in sync, the user then has the same Entity ID (1234) and elevated Role (Customer Center) on both server environments.

Cookies

The following cookies are used to retain session specific information in a SuiteCommerce web store experience:

  • CkID/ShopperID - These cookies link a specific browser to a specific cart. They reside in the browser and persists beyond the current browsing session. The values of these cookies are kept in sync between servers and determine how return customers are later recognized.

  • JSESSIONID - This cookie links a specific browser to a specific session on one of NetSuite's servers. When the current shopping experience has spanned both the unsecured HTTP Shopping domain and the secure HTTPS Checkout or My Account domains, there is a different JSESSIONID associated with each domain.

Shopping Cart Use Case

When a user enters a web store for the first time, they are issued a ShopperID cookie that identifies the specific browser and computer being used, and references the Shopping Cart. When users navigate to checkout, the HTTP Shopping domain passes the ShopperID to the HTTPS Checkout Domain via a URL parameter called ck. This ck parameter identifies the user’s browser and computer and its association with the user’s cart. The user, browser, and cart connection between the two NetSuite server environments is preserved to create a single unified experience. 

If a user later logs in to the same site from another computer or a different browser, a different ck parameter is passed. If the user then logs into the site from the new computer or browser, the preexisting cart is associated with the new ck parameter, as well as becoming associated with the users Entity ID.

Session 1 (Work Computer)

A new user who has never visited the site goes to the web store. The user is not recognized and thus has an EntityID of 0 and the default Shopper role. At the same time, a shopping Cart is created (CartID: 10000) as well as a ck parameter which is associated with the newly created CartID. However, because the user has not created an account, the Entity ID for the shopping cart remains 0.

At this point, the user's session has the following attributes:

  • Entity ID: 0

  • Role: Shopper

  • Shopping Cart Table

    • CartID: 10000

    • EntityID: 0

  • Browser Table

      • CartID: 10000

      • CkID: AAAAAAAAAA 

Next, the user navigates to the secure domain, intending to log in or register. The CkID is passed from the shopping environment, and the checkout domain starts off with the same attributes as the shopping server. Because the session's role is Shopper, the user is presented a login/register page.

Now, when the user creates an account on the secure HTTPS Checkout domain, the shopping cart on the Checkout domain is associated with the newly created Entity ID resulting in a direct link with the shopping cart and the Customer. The user's session now has the following attributes:

  • Entity ID: 1234 (Unique to this Customer)

  • Role: Shopper

  • Shopping Cart Table

    • CartID: 10000

    • EntityID: 1234

  • Browser Table

      • CartID: 10000

      • CkID: AAAAAAAAAA 

Session 2 (Home Computer)

The user leaves work and heads home. At home, they decide to go back to the web store to do some more browsing on their home computer. When the user goes back to the web store they are not recognized and are considered a new user again. The session has the following attributes:

  • Entity ID: 0

  • Role: Shopper

  • Shopping Cart Table

    • CartID: 20000

    • EntityID: 0

  • Browser Table

      • CartID: 20000

      • CkID: BBBBBBBBB 

Next, the user navigates to the secure HTTPS Checkout domain, intending to log in again. The CkID is passed from the shopping environment, and the checkout domain starts off with the same attributes as the shopping server. Because the session's role is Shopper, the user is presented a login/register page.

At this point, the user decides to sign back into their account with the new credentials they created earlier at work. After the user logs in, the system recognizes an existing cart with the same Entity ID and updates the CkID to refer to the existing Cart ID. If the user added items on their home computer and the their cart was not empty from when they shopped at work, then the items added from home are merged together with the original cart. The user's session information is updated and now has the following attributes:

  • Entity ID: 1234

  • Role: Customer Center

  • Shopping Cart Table

    • CartID: 10000

    • EntityID:1234

  • Browser Table

      • CartID: 10000

      • CkID: BBBBBBBBB 

Note

Multiple CkIDs can be associated with a single cart. This is how NetSuite can synchronize carts between Work, Home and mobile devices.