CheckOut.aspx Page
Description: The CheckOut.aspx page displays the list of items in
a customer's shopping cart and prompts the user to place the order. When the
user clicks the "Submit" button, the page places the order with the system and
then provides an order tracking number.
Security Notes: The CheckOut.aspx page allows only
authenticated customers -- customers who have an Adventure Works Cycles user ID and have
logged in using the Login.aspx page -- to
view their cart and check out. If a user has not already logged on, the
checkout page is not displayed. Instead, the user is directed to the login
page.
To restrict access to the check out page, several entries were added to the
Adventure Works Cycles application's Web.config file. The
following entry assigns a security context to the CheckOut.aspx page,
explicitly denying anonymous user access to the CheckOut.aspx page. (The "?"
user stands for "anonymous.")
<location path="CheckOut.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
The following entry specifies how authentication will be maintained and further
specifies the page on which authentication will be performed. In the Adventure Works Cycles
application, this occurs on the Login.aspx page.
<system.web>
<authentication mode="Forms">
<forms name="AdventureWorksStoreAuth"
loginUrl="login.aspx" protection="All" path="/"></forms>
</authentication>
</system.web>
When a non-authenticated user attempts to display the check out page, the
built-in ASP.NET forms-based security system determines that the user is denied
access to the page and redirects the user to the specified page for
establishing authentication.
If you like, you can customize the look and feel of the login page. You can
also validate the user's credentials in whatever manner you prefer to validate.
(We designed the application to check user names and passwords against a
database). After users successfully identify themselves (that is, they pass the
authentication check), they are redirected back to CheckOut.aspx and granted
access to the page.
For more details about security, review the Login.aspx
page within Adventure Works Cycles to see how this is done.
Displaying the Cart: The logic for this page is
encapsulated in two event handlers: Page_Load
event and the SubmitButton_Click event handler for the
"Submit" button.
As in the ShoppingCart.aspx page, shopping cart information is displayed in a
DataGrid control. When the CheckOut.aspx page is first displayed, the Page_Load
event handler obtains a collection of all items within the user's shopping cart
by calling the GetItems method of the ShoppingCartDB class. The GetItems method
in turn uses the usp_ShoppingList stored
procedure to retrieve the items from the database.
Once the collection of items is retrieved, it is bound to the DataGrid control
by setting the grid's DataSource property then calling the grid's DataBind()
method. This causes the grid to loop through the data source and generate a row
for each item. The layout of each item is determined by a set of individual
column definitions in the DataGrid control.
When the cart information has been displayed, the handler invokes the GetTotal
method of the ShoppingCartDB class to calculate a total cost. The total is
formatted using a locale-dependent currency formatting method.
Checking Out: The SubmitButton_Click event handler is used
to place the actual customer order. It calls the PlaceOrder method of the
OrdersDB class, which in turn calls the usp_OrdersAdd stored
procedure to insert a new record into the database.
After the order has been written, the handler hides the "Submit" button and
then redisplays the page with the customer tracking number of the placed order.