Geek Answers Handbook

What level of sensitive information can be stored in the $ _SESSION variable?

Suppose you have a shopping app with the option to pay by credit card. The user is registered and begins to make purchases. Is it possible to take his credit card number and password from the database and save them in a session variable as soon as the user logs in to eliminate the need for future SQL queries in the next steps by which the user is going to complete his payment?

Describe this when:
a) Connection unsafe
b) The connection is established in accordance with SSL security

An example is the credit card application above. I want to get an idea of ​​the security of session variables.

+4
source share
2 answers

As Dagon says, all session data is usually on the server .

However, there are still a few pitfalls. First, in many configurations, session variables are stored in /tmp/ and are owned by the owner of the web server process. In the situation of shared hosting, we can assume that other users on the shared host can access the session data. Secondly, you can configure your own session handler, for example. to store session data in a database. In this case, it is necessary to consider all the security problems of this implementation.

It is better not to store credit card data in session data; just write it to a safe place and retrieve it using some reasonable mechanism (for example, database search) when it is really necessary.

+2
source

Although the session variables are stored on the server, the only real security is the session cookie, which, if hacked, will allow any other visitor to start the same session, therefore, will be able to see the page in the same way as the original visitor .

A session cookie is just a random string generated by PHP, and is available for viewing in plain text (if you are not using SSL) for any "person in the middle", which allows you to capture the session of others.

Saving any confidential data in every way is a potential security issue, so today you need certified PCI-DSS hosting and environment to process credit card information. This is applicable even though you never β€œstore” it on your server while the flow of information through your equipment you need to meet the requirements of PCI-DSS.

The reason for this is that it will always be available at some point in the computer's memory, and the infected computer may have malicious software that could identify this data and distribute it to bad intentions.

+4
source

More articles:


All Articles