I am working on a secure credit card payment screen and have used mcrypt to encrypt the credit card information.
I am not sure what the best practice is for generating the keys.
For testing I have simply used the following:
$key=md5(session_id());
I'm not sure if I should use a seperate key for each user or a single key stored on the server.
Is using a form of the session id a bad idea? Does the key need to be as protected as a password would be?
Thanks.
