|
|
 |
 |
Joined: 6/1/2010
Posts: 179
|
|
|
Hi,
I believe the default DNN requirement is 7 characters or longer in a password. During the checkout process and an account is required, you are presented with the SignInPage.ascx file. If a customer enters a 7 character password, a DNN account is IMMEDIATELY created, which will of course later lead to a Smith Cart account being created. BUT! If a user enters an invalid length password, such as 123, the cart will proceed to the next screen where you fill out a name and address, and proceed with the purchase, but NO DNN account is created. So in this case, you have a Smith Cart account, but no DNN account.
Of course if a customer cancels after the creation of a 7 password length DNN account, but not enter the address info, they will then have a DNN acccount and not a Smith Cart account.
First... it would be nice if this could be synced so it all happens in a single event, so you would not have one account without the other.
Here is my workaround however in 4.22...
First, paste this little Javascript at the top of SignInPage.ascx...
<script type="text/javascript">
function clientValidate(sender, args){
if (args.Value.length < 7){args.IsValid = false;}
}
</script
Next, I added this line below the <asp:TextBox ID="txtNewPassword"... control line:
<asp:CustomValidator ID="cvNewPassword" ControlToValidate="txtNewPassword" runat="server" ErrorMessage="Password must be 7 or more characters!" ClientValidationFunction="clientValidate" Display="dynamic" ValidationGroup="Group"/>
This is adding a client side ClientValidationFunction which will not allow the page to proceed until the minimum password is entered.
Thought this may help some, or maybe the Smith folks could add an option to the cart settings with "Minimum Required Password" so we would not have to modify the page every time.
I know this was partly addressed in an earlier thread, but I just wanted to post my latest findings on this. This does not address RegistrationCart, but my guess is that the code could be easily modified to work with that also.
Thanks!
Steve
|
|
|
|
 | |
|
|
|
 |
Joined: 12/18/2009
Posts: 174
|
|
|
This is extremely confusing for users because SmithCart uses DNN settings for passwords (from web.config) but shows hard coded messages that may be different than the actual verification rules being applied. Occurs in both registration and checkout.
|
|
|
|
| |
|
|
|
|
Joined: 6/1/2010
Posts: 179
|
|
|
But it does not use it from web.config... Meaning, if you create a new account initiated via SignInPage.ascx (when you start a checkout process and an account is required), SmithCart will ONLY create a SmithCart account, not a DNN account, if the password is less than what is in web.config.
The only validation used in SignInPage.ascx is that the fields match. There is no length requirement there. That is why I added it. In fact, I think it will create an account with a 1 character password (SmithCart account, not DNN). So you cannot use this account to login to DNN because it does not exist in the DNN tables.
Steve
|
|
|
|
| |
|
|
 |
Joined: 7/28/2009
Posts: 1452
|
|
|
The cart uses the asp RegularExpressionValidator with a ValidationExpression set in the ascx page to validate the password which you can modify to be in sync with what you configured in your web config if you changed the password strength from the default but you're right it would be nice if the cart dynamically read the membership settings from the web config but i'm not sure of a way to do it. Please postback if you know how its done. Thanks!
At your service,
Dave Smith
|
|
|
|
| |
|
|
|
|
Joined: 6/1/2010
Posts: 179
|
|
|
I did find this....
http://msdn.microsoft.com/en-us/library/610xe886(v=VS.85).aspx
System.Configuration.Configuration rootWebConfig1 =
System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration(null);
if (0 < rootWebConfig1.AppSettings.Settings.Count)
{
System.Configuration.KeyValueConfigurationElement customSetting =
rootWebConfig1.AppSettings.Settings["customsetting1"];
if (null != customSetting)
Console.WriteLine("customsetting1 application string = \"{0}\"",
customSetting.Value);
else
Console.WriteLine("No customsetting1 application string");
}
But I am not a C# expert, hence I need to rely on Smith Cart :-)
|
|
|
|
| |
|
|
|
|
Joined: 12/18/2009
Posts: 174
|
|
|
Nice catch. Now I get it. I tried to figure this out many times and just gave up. I really do not understand why SmithCart needs to reinvent the wheel and replicate any DNN login requirements.
If login is required during checkout, the first step for unauthenticated used should be to login via DNN. It should navigate to the configured portal login page to login or register with a return url to the next checkout step.
Otherwise it introduces many other points of failure with DNN configuration including password requirements, required fields, portal verification methods, email and SSL. For example, if an authenticated user edits the email in Step1:Ship, does SmithCart use that or the DNN email? Which one is correct? Should DNN be updated? Should the user profile be used to change email instead? Should SmithCart allow email editing in the first place?
Could you (or anyone) offer a reasonable explanation as to why a SmithCart customer account would be orphaned without a DNN account?
I had to remove DNN portal verification requirements and make the portal public in order to use SmithCart. Now I get random users from bots and security scans.Speaking of security, the only way to be PCI-DSS compliant is to secure the BuyNow page including product lists, images and product details and images because the combined checkout process includes passwords and credit card info.
Please note that I have no bad intentions here, I am just trying understand how to make it all work. I could very well be doing things wrong.
|
|
|
|
| |
|
|
|
Joined: 9/7/2010
Posts: 117
|
|
|
Too bad these new forums don't have a "like" button. djbaldwin's post is spot on.
|
|
|
|
| |
|
|
|
|
Joined: 12/18/2009
Posts: 174
|
|
|
It's actually even easier.
using System.Web.Security.Membership;
int minLength = MinRequiredPasswordLength;
int minNonAlpha = MinRequiredNonAlphanumericCharacters;
int maxAttempts = MaxInvalidPasswordAttempts;
using System.Web.Configuration
MembershipSection ms = new MembershipSection();
string defaultProviderName=ms.DefaultProvider;
|
|
|
|
| |
|
|
|
|
Joined: 12/18/2009
Posts: 174
|
|
|
They are static members of System.Web.Security.Membership.
http://msdn.microsoft.com/en-us/library/system.web.security.membership(v=VS.100).aspx
|
|
|
|
| |
|
|
|
Joined: 7/28/2009
Posts: 1452
|
|
|
Thanks Dwayne we will look into getting this added so the cart signin page dynamically reads the password strength from the membership provider. The cart signin page can be turned on or off from the buynow module settings. The reason for the cart sign in page is to present the user with the "standard" ecommerce login screen that asks "Are you a new user?" or an "Existing User". If you are a new user then you have the option of checking out anonymously or creating an account and if you are an existing user you can login. The cart signin page handles this all in one screen. We could route the user to the standard dnn login screen if they are an existing user but this would add an additional step in the checkout that may cause customers to bail out. I agree that routing the user to the dnn login screen would automatically detect the password strength so the cart wouldnt have to worry about but If we use the membership provider to dyncamically pull the portal password strength I think it is a better user experience to handle it on the signin page rather than redirecting the user dnn login page and adding an additional checkout page. Additionally, the dnn login page is just a blank page with a userid and password prompt which is not very engaging to the user and may add to abandoned carts or they may think that they clicked something wrong and left the checkout confusing them and causing them not to order.
As a short term fix you can add the following 2 validations to your signinpage.ascx that match your portal password strength you should not have any issues with cart creating new dnn accounts for users checking out:
<asp:regularexpressionvalidator controltovalidate="txtPassword" display="dynamic" errormessage="Password must be minimum of 7 characters." id="revPasswordLength" runat="server" validationexpression=".{8}.*" />
<asp:regularexpressionvalidator controltovalidate="txtPassword" display="dynamic" errormessage=" Enter Valid Password." id="revPassword" runat="server" validationexpression="(?=.{8,})[a-zA-Z]+[^a-zA-Z]+|[^a-zA-Z]+[a-zA-Z]+" />
In the next release I will make sure the cart signin page dynamically reads the password strenghts.
We are definitely open to suggestions to make the cart better so please share your thoughts if you think routing the user to the dnn login page is better then the current cart signin page.
At your service,
Dave Smith
|
|
|
|
| |
|
|
|
Joined: 7/28/2009
Posts: 1452
|
|
|
This is fixed now and will be available in the next cart release 4.25. Thanks for reporting the issue!
At your service,
Dave Smith
|
|
|
|
| |
|
|
|
|
Joined: 6/1/2010
Posts: 179
|
|
|
I think slight adjustments can give the best of both worlds.
On SignInPage, I would have a single button that says Create New Account or something (without any fields), then have it go to a SmithCart registration page that is in theme with the cart (I agree that going to a DNN register screen may sidetrack customers with a different look and feel and that may not be good). Maybe it would end up like RegistrationCart or something. But, if after you click the "New Account" button, it validates everything in a single screen, then that would be good! Now, you have 2 screens... password, username, in the first screen (and then create the DNN account first), then address info in the 2nd screen (and create Smith account 2nd). So you have a chance at orphaned DNN accounts or Smith Accounts But!!! If you have it all in one screen, validate the password requirements, and the account is created all in a single pass in the 2nd screen, then all is safe and in sync! Plus, it is still the same number of button presses (2 total).
But the fix you will have in 4.25 will hold things for the time being while you figure out what the best route is. The above is my 2 cents.
Steve
|
|
|
|
| |
|
|
|
Joined: 7/28/2009
Posts: 1452
|
|
|
There are a few different options you can configure in the buynow settings for the sign in page. The option you described is already in the cart when you have the following buynow settings configured:
-
Show login page - checked-
-
Require login - checked
-
Add to cart requires login - not checked
-
Confirm page - hide login - checked
When you have your buynow module settings configured this way and the user is not logged in when they click checkout on the cart page they will be directed to the sign in page where they enter their username and password. When they click continue thru the checkout the cart will create a dnn account for the user using the information they provided in the checkout.
At your service,
Dave Smith
|
|
|
|
| |
|
|
|
|
Joined: 12/18/2009
Posts: 174
|
|
|
Just to clarify, I really prefer the SmithCart login process over DNN. Your simple, seamless and integrated user experience is quite an impressive feat!
IMHO usability and functionality is far more important than a pretty UI. Until this discussion, the password validation rules did not match the error messages. It is unknown how many customers bailed when they could not figure out the password process. Luckily DNN provides an automated recovery mechanism or that alone would be a full time job.
Security is inversely proportional to convenience. This has always been a burden and can quickly become complicated when trying to balance conflicting requirements between DNN and ecommerce. DNN login supports a welcome message, public, verified and private registration, password recovery, question and answer, invalid attempts, invalid attempt time window, required valid profiles, additional required fields, redirects and capcha. SmithCart supports login along with many other related pricing and payment features.
Add SSL and PCI-DSS and it boggles the mind.
ramble
It just happened again. How many times a day have you had to re-login after session timeout? I can’t begin to count forum posts, commerce transactions and other online activities that fail and are often unrecoverable. No one can comprehend how much time and effort has been wasted from such thoughtless "standards".
/ramble
I suppose my biggest problem is caused by new and existing customers. New or visiting customers will bail when add to cart requires login. However, member pricing by role cannot be determined until the user logs in which is too late in the process to recalculate the order total. I considered using a separate portal but that would be too difficult to manage.
Any suggestions or ideas?
At the end of the day all we really want are more orders from SmithCart.
|
|
|
|
| |
|
|
|
|
Joined: 12/18/2009
Posts: 174
|
|
|
Thanks David, that was the combination I have been looking for! Just a few more issues for v4.24 beta:
1) Sign in by typing your username and password, then press enter.
Now I recall this issue from previous customer complaints with notes to modify the ascx to reverse the order of the register and login components and/or use asp:panel with default button every time SmithCart is upgraded.
2) Login as a valid user, checkout, click next to the payment page. Logout, then checkout again and register a new account. Step 1 ship info is populated from the previous login.
This weirdness only seems to happen while testing registration, but it is a PCI-DSS compliance issue when fields persist personal information. I suggest clearing the cookie/session values as part of the registration procedure.
3) Forgot password does not work.
Why did you choose sign in instead of login?
4) Lastly, and extremely trivial, if your choices are to login or register, the buttons should indicate login or register. Please click continue to register becomes Please click register to continue.
For your amusement, I have enclosed login samples of some popular sites.
By looks, Walmart uses SmithCart. :)
|
|
|  | Login to download attachment |
|
|
|