Geek Answers Handbook

Is it good to store credit card information in a session?

I thought it was a good place because it is temporary huh? I think when I say “good,” I mean both safe and ethical, as well as practical for the code side of things. Please inform.

+4
source share
6 answers

If you store credit card information anywhere , it must be fully encrypted! You may need to save in the session, you may have a multi-part form to fill out, but you should clear it as soon as possible.

+3
source

Pay attention to PHP sessions on shared hosts. Other users of the same host can steal sessions by creating a simple script that can open your sessions by manually setting session_id and then calling session_start (); If you must store CC nums, use stored db sessions that are encrypted and deleted promptly. It is in the interest of users to re-request a number when it was necessary, website users who are interested will thank you for this.

+1
source

Keep in mind that session state can be stored in the database (depending on configuration). Even if it is temporary in nature, I would try to cope with the value as soon as possible and probably try to stay away from the session.

+1
source

Listen to security episode 109 now! with Steve Gibson.

http://www.grc.com/securitynow.htm

In this episode, Steve details how he created his own e-commerce system, which stores data exactly as you describe. It does not store anything on the server side, but collects data, encrypts and signs it on a binary block that cannot be changed (otherwise the signature will not match when re-submitted) and stores it in a hidden form field on the client.

+1
source

The absolute best answer?

No. Do not do that.

Credit card details should be the last part of the checkout process.

+1
source

Better yet, keep it in the application state. More convenient access. Your controls can also directly contact this.

0
source

More articles:


All Articles