These are some notes on security system of this store. Please keep
up to day as much as possible and add any new features to this
text *before* actually coding something.
 I have to see if before anything is done. Violators will be
prosecuted to the extent impossible under US law.
    Ilya.

    I. General overview.

Currently (as of 12/14/2001) security is mostly based on HTTP Basic authentication
(RFC 2617; ftp://ftp.isi.edu/in-notes/rfc2617.txt) and SSL.
HTTP Basic authorization is implemented through mod_plsql's
"authorize" function. Function works as follows:
 - Each procedure has entry in table proc_name.
 - This entry defines accessibility leve of procedure.
 - Levels are: everyone, registered user, manager; manager
    is further divided into privelages.

Problem is that user has to logon over clear-channel connection, rather
then through SSL.

Solution idea:
 Avoid logging in through clear text channel by not requiring buyer to login
in order to add something to shopping cart.
 To achieve this I think we should add some use of cookies.
Scenario:
 - Buyer comes to site,
 - Session ID is checked
 -  if it is not set, new session is esteblished
 -  otherwise, session is renewed
 - Each session has shopping cart associated with it.
 - Once user is ready to pay, he is sent to logon procedure, passing session
    id to it as parameter. (He can't be done through cookies, since this
    might be on separate server)
 - User logs on to server through HTTPS, and his current shopping cart is
    associated with his UID.
 - His payment is processed, etc.
 - In addition, if user wants, he may login, which will allow him
    to to access his "Instant carts" and other, registered-user-only
    services.
