hi:
i have a form that prompts a user for a credit card information. i have some pretty extensive validation in the form handling code that can produce a variety of error problems. The form is hosted securely via HTTPS.
in the event that the submssion fails, I'd like to display the form again with as much information as possible to reduce the user's need to re-set every form element (like card type, expiration date, etc.).
I think that displaying the credit card information previously entered might present a security hazard. What if the form is cached? would the credit card number be there in the cache? How do i prevent caching.
The other possibility is to store the credit card entered in $_SESSION and display something like XXXXXXXX1830 for the credit card number. HOWEVER, I feel like this might also present a slight security risk because session information can be hijacked if a session ID gets revealed to some other user.
Does anyone have experience with this? How do you handle it? Should I send a header to prevent caching? what might that header be?
any help would be much appreciated.
