I am a part-time,self-taught coder working mainly on my own small low-traffic site.
I just finished writing a simple shopping cart for the site. I chose to write it myself because I couldn't find a third-party shopping cart that would work for me, and did not have the budget to hire it done.
But now (admittedly after the fact) I'm reading up on session security and I'm worried whether my site is likely to expose my customers to any trouble. In a nutshell, here is how it works:
- No login required, and not using a secure server.
- Customer browses items and adds to shopping cart.
- The "cart" is just a PHP session array.
- As written at this time, the session variable does show in the URL.
- When cart is complete, site takes customer to the billing and shipping address page.
- Customer reviews order details and then gets sent to PayPal for aggregate payment.
Having no expertise in security I built this on the assumption that the payment was the only really sensitive part of my process, and that would be handled by PayPal. Now I'm worried about session hijacking. Is this a serious risk for a little out-of-the-way site like mine? If so, what is the best way to protect my customers?
