Web Store Sessions
This topic describes how domain bridging works in your SuiteCommerce or SuiteCommerce Advanced (SCA) web store. The type of domain bridging you use (encrypted or not) depends on your web store setup and any customizations that might not work with encrypted domain bridging. SuiteCommerce and most SCA sites use encrypted domain bridging, but some SCA setups use domain bridging without encryption.
This topic applies to web store implementations that use separate shopping and checkout domains, not single-domain setups. For more information about domains and NetSuite, see Set Up Domains for Web Stores.
If your web store uses a separate, non-secure web store domain with a secure checkout domain, each one holds different information for the same session:
-
Non-secure HTTP web store domain: Supports non-secure content and shopping pages.
-
Secure HTTPS checkout domain: Supports secure content and checkout and My Account pages.
Both environments are deeply integrated into NetSuite and do not have access to state or session information from the other environment. To achieve a seamless customer experience between secure and non-secure domains, tokens and linkable attributes are passed between the two server environments through URL parameters and are stored as cookies to maintain the transferred state over time on each domain. This process is called domain bridging.
With encrypted domain bridging, the URL parameters are also encrypted.
NetSuite never sends usernames or passwords from a non-secure domain and always uses the secure domain for authentication.
Domain bridging doesn't transfer any information about the user's browser or computer. The data exchanged only relates to the user’s shopping state like user cart, used promotion codes, and chosen shipping information.
Session Management
A Commerce web store uses entities and roles to manage session information across domains.
Definitions:
-
Entity: This is the ID for a specific NetSuite user. It's usually a Customer, but can also be a Vendor or Employee.
-
Role: This is assigned to a user and sets what they can see or do in NetSuite.
-
Session: This is an open browser tab, and NetSuite uses it to track the user's EntityID and Role.
Explicit Session Invalidation
Explicit session invalidation helps keep your site secure and applies to all SuiteCommerce, SCA, and Site Builder web stores.
If a user's credentials change during an active session (like their password or role), explicit session invalidation kicks in and ends the session.
The following examples describe explicit session invalidation scenarios:
-
If a website administrator changes a user’s password, all their sessions end. If the user was logged in to an active session, they are automatically logged out and must log in to your website again.
-
If a user starts a password reset (like using the Forgot My Password link), all their sessions end.
-
If a logged-in user changes their password in My Account, their session in that tab continues, but any other sessions end.
-
If a user's role changes (including by script), all their sessions end.