Session States, Sign in, and Cookies
A session state indicates the degree of authentication that the server understands about the current website user. It's managed during the user's session and depends on their entity and role.
Commerce web stores use three session states:
-
Anonymous state - The web store doesn't know who the user is (no entity ID). This usually happens when someone visits your site for the first time or after signing out. Anonymous users can use the unsecured shopping domain fully, but only have limited access to checkout and My Account so they can log in.
-
Authenticated state - The user is logged in, so the server knows their entity ID and role (EntityID: 1234 and Role: Customer Center).
-
Recognized state - The server knows the user's entity ID, but they're not logged in (EntityID: 1234 and Role: Shopper). This usually happens when someone who logged in before comes back later.
The following table provides examples of session states:
|
Session State |
EntityID |
Role |
Degree of Authentication |
|---|---|---|---|
|
Authenticated |
1234 |
Customer Center |
User is currently logged in. |
|
Recognized |
1234 |
Shopper |
User has logged in some time in the past. |
|
Anonymous |
0 |
Shopper |
User is unknown and is likely a first-time visitor. |
|
IMPOSSIBLE |
0 |
Customer Center |
Authentication cannot occur. |
Sign In
If an anonymous user tries to access the secure HTTPS checkout or My Account domains, they need to log in or create an account and can only view the login or register page.
If an anonymous user signs in or creates an account on the secure domain, their role changes from Shopper to Customer Center and an entity ID is assigned. However, this only occurs on the secure HTTPS domain.
After logging in to the secure domain, the user's role and entity haven’t changed yet on the unsecured domain. For the unsecured domain to sync with the secure domain, the user needs to return to the unsecured domain and, through the link, pass the appropriate information to sync the secure session's information. After the unsecured domain is in sync, the user then has the same entity ID (1234) and elevated role (Customer Center) on both domains.
Cookies
The following cookies are used to retain website session information specific to the Commerce web store experience:
-
NLShopperID - This cookie is for encrypted domain bridging and links a browser to a cart. It stays in the browser even after you close it, and its value is kept in sync between servers to help recognize returning customers.
-
CkID/ShopperID - These cookies are for domain bridging without encryption. They link a browser to a cart, stick around after you close the browser, and are kept in sync between servers to recognize returning customers.
-
JSESSIONID - This cookie links a browser to a session on a NetSuite server. If you shop on both the unsecured and secure domains, each one gets its own JSESSIONID.