Guest checkout insecure?

Hi,

I am not sure, but this might also be a 'user experience' rather than a 'security' discussion. During guest checkout people buy products and the idea is that they are not 'captured' by the shop authentication procedure, nor do they want to become a 'known customer.'

However, if they come back the day after, the personal data and items not checkout are still in the cart. Some users do not like this. They feel being 'monitored'.

On the other hand, if you do a guest purchase from a public location and you buy stuff, you have filled in everything..However, if somebody else looks into the cookie history or just goes back in the browser, the data of the previous user is visible to somebody else. People certainly dislike this. Security?

I would suggest to have the cookie expire in 4 hours for a guest checkout once the customer has started filling in data as a guest. This value might be a setting (feature request?).

What are the effects of implemented this? I guess Google Analytics will report more unique visitors? What advantages and disadvantages are there?

J.

Developer info on how to do this can be found [url=/boards/t/31852/how-to-set-expiration-of-cookie-on-guest-checkout.aspx]here[/url].

I agree cookies should not persist that long for guest the checkout

RE:  "What are the effects of implemented this? "

The guest won't be able to see his order after the cookie expires - The link in the order placed email will not be valid anymore. (The cookie contains the customer's guid, and nopC uses it to lookup the Customer.  If no cookie, then no guid, and nopC creates a new Customer; now,  _workContext.CurrentCustomer.Id != order.CustomerId, and customer get's directed to login page)