I used to do freelance web design but Ive been out of the game for quite some time. I was building a basic informative site for a client then he decided out of the blue he wanted to do full eCommerce. He has an Access DB all setup with prices, decriptions, SKUs etc. I have never done a true https secure transaction. I am usually one for jumping into the code and working it out, but SSL is heavy duty important and I dont want a screw up to come back on me if his site is compromised.

The big issue is this customer is a royal pain, he refuses to have a cart that forces the user to create an account (email/password) so that's already a huge red X for his cause. All cart programs require that. I could try to design the interface that just adds to the cart, and then lets the user add their billing and customer info upon checkout. Okay, so if you were in this situation how would you handle it? I am about to find someone else to do the job, but I'd like to use this project to learn about SSL if possible, I just dont know where to begin. Any suggestions would be appreciated.

Also, I am somewhat familiar with C#.net so if you have recommendations for packages running dotnet I'd appreciate that as well. Thanks!

Do NOT EVER UNDER ANY CIRCUMSTANCES use an access Db to store any financial or customer details.
If the location of the .mdb becomes known the entire file could be downloaded and ALL the customer details compromised.

HTTPS/SSL only secures and encrypts the communication between client browser and the server it does NOT secure the site from infiltration or cracking attacks.

Is your client prepared to pay the several thousand pounds a year it costs in liability insurance, security testing and protection that the banks require if you are running your own system for storing customer and Creditcard details?

In all honesty unless you are talking about transactions exceeding 10,000 pounds/20,000 dollars a month, using a merchant gateway would be more economical.

This client already has a merchant account gateway setup with his local bank, though I've yet to see any documentation they provided him with. Forgot to mention that previously!

I dislike Access but before he decided to go eCommerce he just wanted a DB setup to display his products and prices, nothing more. Since he wanted to build hte DB himself I suggested he use Access. I'll have to import his data into a MySQL DB if we have to store records of transactions. It would be nice if there were a secure package out there that could be easily customized to a template, like PayPal does. But then the transactions are no longer a one page checkout.

Yes, that is so true, NEVER STORE PURCHASE (OR CUSTOMER) INFORMATION IN ASP PAGES. That will screw you and or your customers over BIG TIME! Use something like SQL.

And for a cart with no signup before checkout, there are a couple of them, you just have to look some more. It's been quite some time since I had an e-commerce store so I can't remember.

Also, be sure you check the shopping cart features, because they may have a feature to disable the sign up option entirely or partially. If you go with the paid shopping cart, be sure to check all the features, you can never be too careful in this area.

Or, as a last resort...Use paypal or 2checkout and eliminate the shopping cart entirely. Will save an arm and a leg of hassles. Actually, they provide a shopping cart too, IT'S FREE!

Quote:

NEVER STORE PURCHASE (OR CUSTOMER) INFORMATION IN ASP PAGES

Absolutely nothing to with ASP at all. there is no more inherent security risk with ASP than there is with any other serverside code.