Web Store Sessions

If your online store uses a separate, non-secure web store domain linked to a secure checkout domain, the two domains hold different types of information related to the same website session:

  • Non-secure HTTP web store domain: Supports non-secure content and shopping pages.
  • Secure HTTPS checkout domain: Supports secure content and checkout and My Account pages.

Both environments are deeply integrated into NetSuite and do not have access to state or session information from the other environment. To achieve a seamless customer experience between secure and non-secure domains, tokens and linkable attributes are passed between the two server environments through URL parameters and are stored as cookies to maintain the transferred state over time on each domain. This process is commonly referred to as domain bridging.

When encrypted domain bridging is used, the URL parameters are also encrypted.

Session Management

A Commerce web store uses a combination of entities and roles to manage website session information stored on and across domains.

Definitions:

  • Entity: An entity is the identifier for a specific NetSuite user. An entity is typically of the type Customer, but can be other types including Vendor or Employee.
  • Role: A role is assigned to a user and includes sets of permissions for viewing and editing data. Roles and their associated permissions determine the pages that users can see and the tasks that they can perform.
  • Session: A website session (open browser tab) is defined by the server environment to track the state associated with the current user experience in NetSuite. A session tracks both the EntityID and the Role associated with the user.

Explicit Session Invalidation

Explicit session invalidation is used to enhance website security and applies to all SuiteCommerce, SCA, and Site Builder web stores.

Changes that are made to a user’s credentials during an active website session can result in session invalidation for that user. If the user’s credentials (including their password, whether the assigned role exists, and whether a user is active) are changed, explicit session invalidation occurs and the session ends.

The following examples describe explicit session invalidation scenarios:

  • If a website administrator changes a user’s password, all existing sessions for that user end. If the user was logged in to an active session, they are automatically logged out and must log in to your website again.
  • If a user initiates a password reset (for example, using a Forgot My Password link), all existing sessions for that user end.
  • If a logged-in user changes their password in the My Account area of your website, their session in that browser tab continues. However, any other existing sessions end.
  • If a user’s role changes, all existing sessions for that user end. This includes changing the role by a script and explicitly removing one role and adding another.
Note

This topic describes how domain bridging works in your SuiteCommerce or SuiteCommerce Advanced (SCA) web store. The type of domain bridging (encrypted domain bridging or domain bridging) depends on your web store implementation and whether it has customizations that are incompatible with encrypted domain bridging. Encrypted domain bridging is used on SuiteCommerce and most SCA implementations but some SCA implementations use domain bridging without encryption.

Note

This topic applies to web store implementations that use separate shopping and checkout domains but not to those that use a single domain. For more information about domains and NetSuite

Leave a comment

Your email address will not be published. Required fields are marked *