Checkout Flow Id (CFId) Http Module


High level how does this work

The purpose of the CFId module is to make sure that an anonymous user cookie cannot be replayed and used to steal information from the user's basket. The module does this by introducing a first past the post scenario, basically the first requestor into the checkout flow owns the basket.

So if the good user gets into the checkout flow first, the basket will be bound to them using an id in an SSL only cookie, and the bad user will not be able to access the basket without getting a hold of the cookie somehow and vice versa. In this scenario the good user will lose access to their basket if the bad user gets in their first, but that is better than the user some how giving away their credit card or address details.

The details

During the OnPreRequestHandlerExecute event the CheckoutFlowIdValidationModule checks to see if the current page request is in the checkout flow. If the user does not have a CFId one will be generated for them and it will be added to a SSL only cookie.

During the OnPostRequestHandlerExecute event the CheckoutFlowIdValidationModule will delete the cookie if the request is for the final page in the checkout process, usually the order confirmation page.

The first time the CFId is created it will be pushed to the backend where the CheckoutFlowIdProcessor will store the value will be stored with the basket. Every request from this point forward will check to make sure that the CFId from the user matches the one associated with the basket, if it does not then the user does not have permission to view or modify the basket.

Last edited Dec 11, 2012 at 3:31 PM by cmcauliffe, version 5


No comments yet.