Risk analysis- storing obscured cc# in $_SESSION

[andrew embassy]

Hey everybody- first time poster here.

So I'm getting close to completing a shopping cart app that's been under construction for over a year, and I'm trying to figure out just how much information is safe to store in the $_SESSION variable.

If my understanding of the $_SESSION variable is correct, generally you shouldn't store critical information in it because if anyone is listening in when it's set they can use the id to access any information stored in the variable.

Obviously my payment page is over a secure connection, and I'm not storing the actual credit card information in the $_SESSION variable (I'm actually not storing it anywhere; once the user posts it to the script it goes directly to the API), but I would like to be able to store an obscured credit card number (i.e. ************1234) so that the user can see which card they're using after they enter it, and I don't have to keep posting it to every page in the checkout process. I'll be unsetting this session variable once the confirmation page is displayed, so it won't be just sitting there forever.

How much of a risk is this? It seems that the last four digits of a credit card are pretty low- risk; they're constantly emailed over unsecure connections, etc. -while eventually I plan on instating a more secure session system (which I have further questions about), for now am I okay with this, or should I just forgo this luxury?

Thanks!

[stymiee]

If it is only the last four digits of the card number that's perfectly fine.

[andrew embassy]

Whoops, thanks for the move.

And thanks for the answer too!

[Immerse]

If my understanding of the $_SESSION variable is correct, generally you shouldn't store critical information in it because if anyone is listening in when it's set they can use the id to access any information stored in the variable.

This isn't quite true, I think you may be confusing $_SESSION and $_COOKIE. $_SESSION is stored on the server, and is not transmitted over the 'net. As such, people listening in will not see $_SESSION. That's not to say it's automatically safe, especially if you're on shared hosting. If the server is configured incorrectly, other people's sites may have access to your site's session files.

But, as Stymiee said, storing the last 4 characters of the CC number can't do any harm.

[andrew embassy]

Hey Immerse-

Yeah, I('m pretty sure I) understand $_SESSION properly; I misspoke- I should have said "if anyone is listening in when it's set they can use the id to access any information you return to the user from the variable".

So, if I could get a solid confirmation that the server is correctly setup to avoid any spying on my session variables, and I don't transmit the cc# back to the user at any point, I could conceivably store the cc# in the session variable for a time if I was sure to delete it immediately after I did what I wanted with it? That would make things smoother for the user if they have to go back and edit their shipping information and such...

[BrandonK]

I wouldn't store the full CC# in the SESSION file. If someone were to steal the session_id (often times stored in a cookie), they would then have the ability to get the full CC#. But you are 100% okay with saving the last 4 digits of a CC# in a SESSION (you could even do it in a cookie b/c those 4 numbers are practically worthless).

[andrew embassy]

I wouldn't store the full CC# in the SESSION file. If someone were to steal the session_id (often times stored in a cookie), they would then have the ability to get the full CC#. But you are 100% okay with saving the last 4 digits of a CC# in a SESSION (you could even do it in a cookie b/c those 4 numbers are practically worthless).

Well, this seems contrary to what Immerse has said- If I store the cc# in the $_SESSION id, but don't give a way for any of my scripts to pass it over the net, then could somebody access it with just a session id?

[Christopher Hill]

Well, this seems contrary to what Immerse has said- If I store the cc# in the $_SESSION id, but don't give a way for any of my scripts to pass it over the net, then could somebody access it with just a session id?

Yes. Anything stored in the session will be accessible via the session id.

[stymiee]

But only by the server side code.

[andrew embassy]

But only by the server side code.

Right- so if my server side code gives no way to send that data to the user (just retains it for insertion into a db later on, for example) then the session id won't give access to all the data, unless the attacker is able to upload his own scripts to access it, correct?

[stymiee]

Correct. And that's a whole different problem altogether.

[wwb_99]

Yes, though you want to make sure you turn off PHP's sessions in urls option for security's sake.

[BrandonK]

I still say that it's best to not do it. You may not see any reason for it now, but lets say down the road you inadvertently create a security hole. If all you have in your $_SESSION is the last 4, you don't have to worry about the massive fines and law suits if you stored the entire card number. In fact I'm sure PCI Compliance won't allow you to store the entire credit card.

[stymiee]

The last four digits of a credit card number has no value. That's why all receipts display them instead of the full credit card number. Even if it is publicly displayed without the other 11-12 digits and expiration date (and to a much lesser degree maybe even cvv and billing address) it is completely useless. It's just another number.

[andrew embassy]

Yeah, the more I read the more I understand that there's really no way to completely secure the Session variable, and 9 times out of 10 there's no reason to store the whole number anywhere, so the possible benefit to UI isn't worth it.