HomeHome Product Discus... Product Discus...SmithCartSmithCartSigninPage Not Creating DNN Accounts - Password LengthSigninPage Not Creating DNN Accounts - Password Length
Previous
 
Next
New Post
3/21/2011 5:15 AM
 

Dwayne,
 

I would like to also add that when you are shipping a boxed product, which is likely most common, there should be NO address fields offered if the cart requires an account. The most common presentation would be a ShipTo area, and/or a button to "Edit My Account" that returns back to the checkout process. As you mentioned earlier I believe, presenting address fields OUTSIDE the ShipTo or Account area is extra data that is not needed and a customer does not really know if it is modifying their account or not.
 

This login should happen before the shipping calculation is done, and this way there is no risk at 4 different sets of data (DNN Account, Smith Account, Order ShipTo Data, Custom Entered Order Data given before login).
 

Also, on another note, about login timeouts, we fixed this on our site so we can stay logged in without having to reenter the data each time we come. It is a DNN setting we had to change.
 

See http://www.dotnetnuke.com/Community/B....

 

Steve

 
New Post
3/21/2011 11:38 AM
 
Steve,

Or least common, as my requirements are typically 10 to 20 line items with multiple boxes and tracking numbers per shipment. I definitely agree that the account fields (especially email) should not be offered when a cart requires an account.

My confusion seems to be with new and returning customers, DNN accounts and the information required to proceed though checkout. I use DNN menus and user roles to show Products to unauthenticated users, when they login they see other options such as My Order with Quick Order and History child pages.

It today's world, we know we have to enter our data once to order goods from any online system. Some sites ask for a zip or postal code before ordering. I have no trouble forcing everyone to use DNN login and registration, bypassing SmithCart entirely, or vice versa.

If login must happen before calculating shipping, the cart should also recalculate any amounts with account dependencies such as member prices by role. Like brick and mortar stores, you present your membership card (or coupons) during checkout and prices are adjusted accordingly.

As for the timeout thing, it is a personal pet peeve with PCI-DSS. If you have selected NOT to store, process or transmit credit card primary account numbers, then this does not apply. However, if you store credit card data, consider just some of the PCI-DSS v2.0 compliance requirements for administrators (not end users).

8.5.9 Change user passwords at least every 90 days.

8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

8.5.15 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

As I mentioned, security is inversely proprotional to convenience and afterthought will not protect your sensitive data.
 
New Post
3/21/2011 12:13 PM
 

We elect not to store cardholder data... our business model does not require it.

My sense in all this would be to somehow keep the DNN account in sync with the Smith account automatically. Or not even have a Smith account, and have any extra data stored elsewhere.

The goal is to not confuse the customer. Now, when you Add to Cart, it presents Ship To fields, and this is what I think is confusing. This should not be there. But, a checkbox to "Ship to alternate address" could be there which then allows the Ship To fields to be available. A customer may ask "Why am I needing to enter this data when I have an account?"

So a login should ALWAYS preceed the display of ship to data (I do not have an account required to add to cart but we do have it to checkout). Another option would be to pre-populate the ship to fields with the current account data if this must stay the way it is, but have an option that says "Use Default Shipping Address" and another that says "Use Alternate Ship To address", and have it clearly toggle between the two. Most sites have a more visible way of doing this.

I know this needs some research. But I think it can be simplified to a degree. It should not be rushed, and disscussion on this is a good idea!

I guess requiring a login to simply add to a cart would solve some of this, but that is less user friendly in my opinion. I think it is much better to allow customers to visually see their cart before checking out/creating an account/logging in.
 

What would be good is a way to edit the account via Smith.MyAccount, so users do not even have to get to the DNN Account area which is not user friendly at all.

 
New Post
4/3/2011 10:34 PM
 

My .02

I've been with DNN since 2.1.2 and found out early on that it is better to reduce the number of chars in the password requirement in web.config to 2 or higher... which should only be done if the number of invalid login attempts is also limited.... to something like 8 ot 10.... then block the IP address for 10 minutes.
Some websites are better off with these values, while other websites are strengthened in other ways.
If the website is only used for SmithCart and on it's own SQL DB, then it might make sense to review the number of chars in the passwd and make a command decision.
!  People will not remember Account names & passwds... but they will likely remember Email Address & passwds.
Amazon uses email addr.    https://www.amazon.com/gp/css/homepag...

BarryZ

 

 

 
New Post
4/4/2011 7:44 PM
 

All of the settings are configurable in DNN using the AspNetSqlMembershipProvider and I believe SmithCart supports the functionality. DNN can lockout an account for a period of time, but you do need a custom extension (UCanUse/Interactivewebs) to lockout by IP address which SmithCart could not support.

The only problem with using an email address for an account name is that emails can and do change. There is no easy way for admins or users to deal with account name maintenance in DNN.


Accounts and passwords have always been a can of worms. 

 
Previous
 
Next
HomeHome Product Discus... Product Discus...SmithCartSmithCartSigninPage Not Creating DNN Accounts - Password LengthSigninPage Not Creating DNN Accounts - Password Length