Vend Documentation

Vend version 0.1 (alpha). This documentation is preliminary.

Vend allows customers to select items to buy from catalog pages. The program tracks which products they have selected and the quantity desired. From the ordering page they may complete the ordering process by entering their name and address, or return to browsing and select more items.

Vend 0.1 does not support secure transmission of credit card numbers. Vendors should contact customers separately for payment.

Overview

Normally, each request for a World Wide Web page which comes in to a server stands on its own. While the server will probably know which machine a request comes from, it may not know if the next request comes from the same browser or even from the same user on that machine.

Vend keeps track of who is ordering what by including in the URL a session id: a random string which is different for each customer browsing the catalog.

So that the session id can be included in URL's within catalog pages, every page in the catalog is served up by Vend running as a cgi-bin program. Here is an example of such a URL: 

        http://xyzcorp.com/cgi-bin/vend/shirts?WehUkATn;;1
An explanation of each part:
xyzcorp.com
Internet address of server
cgi-bin
Informs server that the requested page will be generated by a program.
vend
Name of the program to run
shirts
Page of the catalog to display
WehUkATn;;1
The session id
Catalog pages are written in regular HTML with a few extensions to support catalog ordering. Pages are delivered through the following steps:

  1. The HTTPD server receives a request for a catalog page.
  2. The server runs svend as a cgi-bin program. svend is a small C program which is setuid to the account which owns the catalog files.
  3. svend executes the Vend Perl script vend.pl.
  4. Vend reads the HTML source page from the catalog pages directory, and interprets the catalog ordering extensions in the file.
  5. The page, which is now entirely in regular HTML, is delivered to the HTTPD server, which returns it to the browser.
Once the customer has finished, the completed order is emailed to the vendor.

Where to Download Vend

Vend is available from:

ftp://gray.maine.com/pub/awilcox/vend-0.1.tar.gz
ftp://ftp.biddeford.com/pub/awilcox/vend-0.1.tar.gz

Perl version 5

You will need Perl version 5 (or later) to run Vend. Many sites are still running Perl version 4. You can download a copy of Perl 5 from the following sites (from the Perl FAQ):

North America

ftp://ftp.cis.ufl.edu/pub/perl/src/5.0/perl5.000.tar.gz
ftp://prep.ai.mit.edu/pub/gnu/perl5.000.tar.gz
ftp://ftp.uu.net/languages/perl/perl5.000.tar.gz
ftp://ftp.khoros.unm.edu/pub/perl/perl5.000.tar.gz
ftp://ftp.cbi.tamucc.edu/pub/duff/Perl/perl5.000.tar.gz
ftp://ftp.metronet.com/perlinfo/source/perl5.000.tar.gz
ftp://genetics.upenn.edu/perl5/perl5_000.zip

Europe

ftp://ftp.cs.ruu.nl/pub/PERL/perl5.0/perl5.000.tar.gz
ftp://ftp.funet.fi/pub/languages/perl/ports/perl5/perl5.000.tar.gz
ftp://ftp.zrz.tu-berlin.de/pub/unix/perl/perl5.000.tar.gz
ftp://src.doc.ic.ac.uk/packages/perl5/perl5.000.tar.gz
http://src.doc.ic.ac.uk/packages/perl5/perl5.000.tar.gz
gopher://src.doc.ic.ac.uk/0/packages/perl5/perl5.000.tar.gz

Australia

ftp://sungear.mame.mu.oz.au/pub/perl/src/5.0/perl5.000.tar.gz

Setup for the CERN HTTPD Server

Vend uses the user and machine name of the customer as an additional mechanism for distinguishing between users. Turn identity checking on in the HTTPD server with the IdentityCheck directive: 
        IdentityCheck  On
Unless changed by the UserId directive, the CERN httpd server will run programs as the user "nobody". To ensure that svend is only run as a cgi-bin program and not by other users on the system, svend will only run under this user account. If other programs on the system use the nobody account, you may want to change the UserId to an account which is only used by httpd. 
        UserId  hguest
You will also need rules to map URLs to your public HTML files and your cgi-bin directory. These may be already set up in the httpd configuration file. Here is an example: 
        Exec  /xyzcorp/cgi-bin/*  /home/xyzcorp/cgi-bin/*
        Pass  /xyzcorp/*          /home/xyzcorp/WWW/*
The first line specifies that a URL such as "http://machine.com/xyzcorp/cgi-bin/svend" will run the program svend located in the /home/xyzcorp/cgi-bin directory. The second line specifies that files in the /home/xyzcorp/WWW directory can be retrieved with a URL such as http://machine.com/xyzcorp/file.

The mapping described by Exec will always require two parts in the URL: one to specify the cgi-bin directory and another to specify the program to run. You can shorten the URL by specifying an additional mapping such as: 

        Map  /catalog/*  /xyzcorp/cgi-bin/svend/*
This will allow a URL such as "http://machine.com/catalog/shirts" to be used.

In the Vend configuration file, vend.conf, set the VendURL directive to the URL which runs svend in the cgi-bin directory. 

        VendURL  http://machine.com/catalog

Needed Directories

The Vend program, your catalog pages, and the products file should all go into a private directory. Because the catalog pages are served through the Vend cgi-bin program and contain nonstandard elements, they should not be put into a public WWW directory, nor do they need to have world-readable file permissions.

You will want a public WWW directory for inline image graphic files.

You will need a cgi-bin directory in which to put the svend program.

Unpacking the Vend Distribution

Decompress and untar the distribution: 
        gzip -d vend-0.1.tar.gz
        tar xfv vend-0.1.tar
If you have GNU tar, you can combine these steps: 
        tar xfvz vend-0.1.tar.gz
The samples directory contains a sample product file and order report, and sample catalog pages. If you would like to use them as a starting point for your own catalog, you can copy the sample files into the Vend directory: 
        cd /usr/vend                   # wherever your vend directory is
        cp sample/pages/* pages
        cp sample/products/* products
        cp sample/report .
Edit vend.pl and set VendRoot to the vend directory which you just unpacked.

Testing Your CGI-BIN Directory

This is a good time to test your cgi-bin configuration and find out the numeric user-id which your HTTPD server runs cgi-bin programs under. Edit "testcgi" and change the first line to refer to your Perl version 5 (or higher) executable. 
        #!/usr/bin/perl
Copy "testcgi" into your cgi-bin directory, and make it executable. 
        cp testcgi /your/cgi-bin/directory
        chmod a+rx /your/cgi-bin/directory/testcgi
Try running testcgi from your shell command line to make sure that everything is working. 
        /your/cgi-bin/directory/testcgi
testcgi should respond with the version of Perl that you are running and your numeric user id.

Now try running testcgi from your browser. Write down the numeric user id which you get there, as you will need it later for svend.

Setting up SVEND

svend is a small C program which is setuid to the user account which can access the catalog data files. The following defines at the beginning of svend.c should be set:
CGIUSER
Set this to the numeric uid (user id) which HTTPD runs cgi-bin programs under. Typically this will be 'nobody' or 'guest'.
PERL
Set this to the location of the perl (version 5 or higher) executable.
VEND
Set to the location of vend.pl, typically in the vend directory.
Compile svend.c with your C compiler: 
        cc svend.c -o svend
On some systems you can make the executable smaller with the strip program. But don't worry about it if strip is not on your system. 
        strip svend
If you want Vend to run under a different user account than your own, make that user the owner of svend. (You probably need to be root to do this). Do not make svend owned by root, because making svend setuid root is an unnecessary security risk. 
        chown vendacct svend
Make svend setuid: 
        chmod u+s svend
Move the svend executable to your cgi-bin directory: 
        mv svend /the/cgi-bin/directory

Setting up vend.pl

Edit vend.pl and specify the root directory which contains the Vend distribution. 
        $Config::VendRoot = '/usr/vend';

The Products File

Each product you are selling should be given a product code: a short code that identifies the product on the ordering page and in the catalog. You can use any combination of letters and digits for the product code. The "products" file is a simple Ascii comma-delimited list of all the product codes, a short description, and the price. Here is an example of a products file: 
        SH543,Men's fine cotton shirt,14.95
        PA776,Elegant pants,29.00

Catalog Pages

Pages in the catalog are written in regular HTML with extensions to support catalog ordering. To distinguish them from regular HTML, these extended elements use square brakets instead of angular brackets.

The first page displayed in the catalog is "catalog.html". This page will contain links to other catalog pages with the [page] element. Individual products can be ordered by the [order] element, which brings up the order page "order.html". The order page contains input boxes for the customer to type in their name and address. Once the order has been sent the "confirmation.html" page is displayed.

You will normally not want to include regular hypertext links to pages outside of the catalog. Such links will not include the session id, which means that if the customer follows an external link back to the catalog the list of products ordered so far will have been lost.

Inline images, on the other hand, are served in the normal fashion. You should include a regular <img src="URL"> element, where the URL refers to a graphic image.

The following elements can be used in catalog pages:

[page pg]
Insert a hyperlink to the specified catalog page pg. For example, [page shirts] will expand into <a href="http://xyzcorp.com/cgi-bin/vend/shirts?WehUkATn;;1>. The catalog page displayed will come from "shirts.html" in the pages directory.
[/page]
Expands into </a>. Used with the page element, such as: [page shirts]Our shirt collection[/page].
[finish-order]
This element is used to give the customer, while browsing, a way to return to the order page after they have already ordered something. If they haven't ordered anything yet [finish-order] does not appear at all on the displayed page. If they have ordered an item, the element will expand into something like: <a href="http://xyzcorp.com/cgi-bin/vend/finish;WehUkATn;;1"> Finish Incomplete Order</a>
[order code]
Expands into a hypertext link which will include the specified code in the list of products to order and display the order page. code should be a product code listed in the "products" file.
[/order]
Expands into </a>. Used with the order element, such as: Buy a [order TK112]Toaster[/order] today.
[price code]
Expands into the price of the product identified by code as found in the products file.
[description code]
Expends into the description of code as found in the products file.

The Order Page

The following elements are used on the order page:
[value field]
Expands into the current value of the customer input field named by field. See the section on input fields for more information.
[nitems]
Expands into the total number of items ordered so far.
[total-cost]
Expands into the total cost of all the items ordered so far.
Within the order page, the [item-list] element shows a list of all the items ordered by the customer so far. It works by repeating the source between [item-list] and [/item-list] once for each item ordered. Between the item-list markers the following elements will return information for the current item:
[item-code]
Evaluates to the product code for the current item.
[item-description]
Evaluates to the product description (from the products file) for the current item.
[item-quantity]
Evaluates to the quantity ordered for the current item.
[item-price]
Evaluates to the price (from the products file) of the current item.
[quantity-name]
Evaluates to the name to give an input box in which the customer can enter the quantity to order.

Customer Input Fields

On the orders page, order.html, you will have a number of input fields allowing customer to enter information such as their name and address. You can add more fields simply by putting more input elements on the order.html page, and the information will automatically be included in the order report. Input elements should be written in this way: 
        <input type="text" name="town" value="[value town]" size=30>
The type attribute should be set to "text", which is the only input type supported by this version of Vend.

Choose a name for this input field such as "email" for an email address. Set the name attribute to the name you have choosen.

The value attribute specifies the default value to give the field when the page is displayed. Because the customer may enter information on the order page, return to browsing, and come back to the order page, you want the default value to be what was entered the first time. This is done with the [value] element, which returns the last value of an input field. Thus, 

        value="[value name]"
will evaluate to the name entered on the previous order screen, such as: 
       value="Jane Smith"
which will be displayed by the browser.

The size attributes specifies how many characters wide the input field should be on the browser. You do not need to set this to fit the lengthiest possible value since the browser will scroll the field, but you should set it large enough to be comfortable for the customer.

Order Report File

The order report file, "report", defines the layout of the order report which gets mailed on the completion of the order. For example, 
        Order Date: $date

                    Name: $name
           Email address: $email

        Shipping address: $addr
        Town, State, Zip: $town, $state $zip
                 Country: $country
Any input field from the order page can be included using the dollar sign notation.

Vend Configuration File

The VendRoot directory, specified in vend.pl, is the default location of all of the Vend files. Unless changed in vend.pl, the Vend configuration file will be vend.conf in the VendRoot directory.

In the configuration file, these directives are required:

Vend URL

Specifies the base URL that will run svend as a cgi-bin program. 
        VendURL  http://machine.com/xyzcorp/cgi-bin/svend

Mail Order To

Specifies the email address to mail completed orders to. 
        MailOrderTo  orders@xyzcorp.com

Optional Configuration Directives

These directives all have default values and are optional.

Page Directory

Location of catalog pages. Defaults to the pages subdirectory in the VendRoot directory. 
        PageDir  /data/catalog/pages

Products Directory

Location of the products file. Defaults to the products subdirectory of the VendRoot directory. 
        ProductDir  /data/catalog/for-sale

Order Report File

When the completed order is ready to be mailed to the vendor, the order report file describes the layout of the order report. Defaults to report. 
        OrderReport  /data/order-form

Display Errors

While all errors are reported in the error log file, you can also have errors displayed by the browser. This is convenient while you are testing your configuration. 
        DisplayErrors  Yes

Session Database

When storing sessions in a DBM database, specify the base name of the DBM file to use. The file extensions of .pag, .dir, or .gdbm (depending on the DBM implementation used) will be appended. 
        SessionDatabase  session-data

File Permissions

By default, only the user account that Vend runs under (as set by the setuid permission on svend) can read and write files created by Vend. WritePermission and ReadPermission can be set to 'user', 'group', or 'world'. 
        WritePermission  group
        ReadPermission   group

Session Expire

A customer can exit their browser or leave the catalog pages at any time, and no indication is given to the HTTPD server aside from the lack of further requests that have the same session id. Old session information needs to be periodically expired. The SessionExpire specifies the minimum time to keep track of session information. Defaults to one day. 
        SessionExpire  4 hours

SendMail Program

Specifies the program used to send email. Defaults to '/usr/lib/sendmail'. 
        SendMailProgram  /bin/mailer

Shipping Charges

Specifies a shipping charge to add onto the total price for items ordered. If you do not want to include a fixed shipping charge on the order page, leave this 0 and do not include the [shipping] element in the order page. Defaults to 0. 
        Shipping  5.00

Required Pages

The following pages need to be present in the pages directory. See the sample subdirectory for examples.
catalog.html
The main catalog page presented by Vend when another page is not specified.
order.html
This page is displayed when the customer orders an item.
confirmation.html
After the order is completed, the confirmation page is displayed.
failed.html
If the sendmail program could not be envoked to email the completed order, the failed.html page is displayed. (Sadly we don't know if the email was successfully delivered).
missing.html
This page is displayed if the URL from the browser specifies a page that does not have a matching .html file in the pages directory. This can happen if the customer saved a bookmark to a page that was later removed.
noproduct.html
This page is displayed if the URL from the browser specifies the ordering of a product code which is not in the products file.
interact.html
Displayed if an unexpected response was received from the browser, such as not getting expected fields from submitting a form. This would probably happen from typos in the html pages, but could be a browser bug.

Expiring Sessions

You should periodically expire old sessions to keep the session database file from growing too large. Use the -expire option to vend.pl to do this: 
        /usr/vend/vend.pl -expire
You could add a crontab entry such as the following: 
        # once a day at 6:10 am
        10 6 * * * /usr/vend/vend.pl -expire
Febuary 1, 1995. Andrew Wilcox, awilcox@world.std.com