Sessions vs SSL POST for passing secure data?

fobster

Hi,

I need to pass sensitive information from one page to another (ie credit card info). Would it be safer to store cc info into an array and register it as a session variable then access the session variable on the next page? Or use hidden fields and POST information to the next page?? The site is ssl encrypted and on a shared server. I read that ppl that share your server can access your sessions through the /tmp folder. Then would it be safer to post the data since it is encrypted??

tia

Plasma

Ive used sessions to handle this (we have our own dedicated server, however), and I make sure I remove (set the value of the session's cc details to null) as soon as possible.

POSTing between pages is a bit dodgy, as you leave the credit card information in the document returned back to the user.

MarkR

It may be safer to pass it in hidden fields using a POST.

There is no major security risk doing this, everything is still encrypted. Although the browser's cache might store the data for a while. You might be able to try to avoid this with caching headers.

In any case, if an attacker has access to the user's cache, they're in trouble anyway.

A better option all together would be to not store the CC details anywhere. Our sites certainly don't - we pass the CC details to a payment service provider immediately, and only store the result (Not the CC details themselves).

Mark

fobster

Thanks for the input guys. We do send the cc info to a payment gateway as soon as possible. The 2 pages im referring to is the credit card input page and the confirmation page, then it goes to the payment gateway right after. Just wondering what would be the safest method of passing sensitive info between the two pages before sending it off.

MarkR

I actually realised that we also send the CC details back into the user's browser in some circumstances.

If our validation fails on the cc input box (or the PSP refuses the payment), we leave the browser on the same form with all the previous values filled in, and one or more helpful messages displayed.

In this circumstance, the browser gets the cc number back. It could be cached and hence end up on the user's computer.

Mark