session security

phpjaco

hello

have a security concern working with sessions and storing credit card info inside a session, going to the payment gateway, redirecting back to my page and doing a soap connection and processing the order with the session variables, and then destroying the session afterwards.

is it safe enough to store credit card information in this manner, can hackers get to this? cause its possible to view POST variables with a firefox plugin.

or is it safer to write it to a temporary database table, do what i need to do and then delete the row?

thanks in advance.
jaco

bpat1434

Any creditcard information should not be stored (unless specifically asked to with a checkbox or whatever). Also, any security sensitive transaction should be conducted behind a 128-bit or higher SSL connection. Once over an SSL connection the firefox plugins from what I can recall won't view POST data (since it's a security concern).

So, use SSL (128-bit or better) with any sensitive data, and don't store it. Find a different way to do what you want.

Think of it this way: (1) I log in to your site and submit my personal CC info, (2) You store my data in a session and do your SOAP thing, (3) The session is destroyed and I'm redirected to a non-SSL connection.

What happens to the physical session file on the server? Surely you can't expect it to magically disappear immediately after the session is destroyed. And what if a hacker gets in during my session? Now my CC info is in plain-text for the hacker 🙁 Don't store the information. Or if you do, use a Diffie-Hellman-Merkel key-exchange type encryption so that when you start your soap connection, you can ask them for their "key" or a passphrase which will then decrypt their information and proceed with the connection.

YAOMK

What if you change the session storage to be memory?( for this part of the app) would this work?

ali_mma

you can encryption the data

phpjaco

hello

i cant go into too much detail as to why i need to store the information however I am working with the new 3d secure model (mastercard / visa), so this is why i need to store cc transactions in the first place: (see my workflow)

from my ssl page - fill in cc details
submit to payment gateway
check i f it is 3d secure in other words, prompt for pin if needed
go back to secure page, get results from payment gateway (3d secure pin)
process transactions based upon session information and also post 3d secure information returned
after transaction is complete, kill the session and move back to my normal page and update my order.

Will look at encryption, however looking at the above example it must be apparent that I need to store the cc information else i cant process it. the information returned by 3d secure from the payment gateway is not cc information only the 3d secure information and other mastercard / visa information but more specific to 3d secure. this is why the cc information is stored on the session.

will try the encryptions and let know if that works ok.

thank you
jaco