CheckOut.aspx Page

Description:   The CheckOut.aspx page displays the list of items in a customer's shopping cart and prompts the user to place the order. When the user clicks the "Submit" button, the page places the order with the system and then provides an order tracking number.

Security Notes:  The CheckOut.aspx page allows only authenticated customers -- customers who have an Adventure Works Cycles user ID and have logged in using the Login.aspx page -- to view their cart and check out. If a user has not already logged on, the checkout page is not displayed. Instead, the user is directed to the login page.

To restrict access to the check out page, several entries were added to the Adventure Works Cycles application's Web.config file. The following entry assigns a security context to the CheckOut.aspx page, explicitly denying anonymous user access to the CheckOut.aspx page. (The "?" user stands for "anonymous.")

   <location path="CheckOut.aspx">
        <system.web>
            <authorization>
                <deny users="?"/>
            </authorization>
        </system.web>
    </location>


The following entry specifies how authentication will be maintained and further specifies the page on which authentication will be performed. In the Adventure Works Cycles application, this occurs on the Login.aspx page.

   <system.web>
       <authentication mode="Forms">              
          <forms name="AdventureWorksStoreAuth" loginUrl="login.aspx" protection="All" path="/"></forms>
       </authentication>
    </system.web>

When a non-authenticated user attempts to display the check out page, the built-in ASP.NET forms-based security system determines that the user is denied access to the page and redirects the user to the specified page for establishing authentication.

If you like, you can customize the look and feel of the login page. You can also validate the user's credentials in whatever manner you prefer to validate. (We designed the application to check user names and passwords against a database). After users successfully identify themselves (that is, they pass the authentication check), they are redirected back to CheckOut.aspx and granted access to the page.

For more details about security, review the Login.aspx  page within Adventure Works Cycles to see how this is done.

Displaying the Cart:   The logic for this page is encapsulated in two event handlers:  Page_Load  event and the SubmitButton_Click event handler for the "Submit" button.

As in the ShoppingCart.aspx page, shopping cart information is displayed in a DataGrid control. When the CheckOut.aspx page is first displayed, the Page_Load event handler obtains a collection of all items within the user's shopping cart by calling the GetItems method of the ShoppingCartDB class. The GetItems method in turn uses the usp_ShoppingList stored procedure to retrieve the items from the database.

Once the collection of items is retrieved, it is bound to the DataGrid control by setting the grid's DataSource property then calling the grid's DataBind()  method. This causes the grid to loop through the data source and generate a row for each item. The layout of each item is determined by a set of individual column definitions in the DataGrid control.

When the cart information has been displayed, the handler invokes the GetTotal method of the ShoppingCartDB class to calculate a total cost. The total is formatted using a locale-dependent currency formatting method.

Checking Out:   The SubmitButton_Click event handler is used to place the actual customer order. It calls the PlaceOrder method of the OrdersDB class, which in turn calls the usp_OrdersAdd stored procedure to insert a new record into the database.

After the order has been written, the handler hides the "Submit" button and then redisplays the page with the customer tracking number of the placed order.