SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Member
    Join Date
    Jun 2007
    Location
    Seattle
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Risk analysis- storing obscured cc# in $_SESSION

    Hey everybody- first time poster here.

    So I'm getting close to completing a shopping cart app that's been under construction for over a year, and I'm trying to figure out just how much information is safe to store in the $_SESSION variable.

    If my understanding of the $_SESSION variable is correct, generally you shouldn't store critical information in it because if anyone is listening in when it's set they can use the id to access any information stored in the variable.

    Obviously my payment page is over a secure connection, and I'm not storing the actual credit card information in the $_SESSION variable (I'm actually not storing it anywhere; once the user posts it to the script it goes directly to the API), but I would like to be able to store an obscured credit card number (i.e. ************1234) so that the user can see which card they're using after they enter it, and I don't have to keep posting it to every page in the checkout process. I'll be unsetting this session variable once the confirmation page is displayed, so it won't be just sitting there forever.

    How much of a risk is this? It seems that the last four digits of a credit card are pretty low- risk; they're constantly emailed over unsecure connections, etc. -while eventually I plan on instating a more secure session system (which I have further questions about), for now am I okay with this, or should I just forgo this luxury?

    Thanks!

  2. #2
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,424
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    If it is only the last four digits of the card number that's perfectly fine.

  3. #3
    SitePoint Member
    Join Date
    Jun 2007
    Location
    Seattle
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Whoops, thanks for the move.

    And thanks for the answer too!

  4. #4
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by andrew embassy View Post
    If my understanding of the $_SESSION variable is correct, generally you shouldn't store critical information in it because if anyone is listening in when it's set they can use the id to access any information stored in the variable.
    This isn't quite true, I think you may be confusing $_SESSION and $_COOKIE. $_SESSION is stored on the server, and is not transmitted over the 'net. As such, people listening in will not see $_SESSION. That's not to say it's automatically safe, especially if you're on shared hosting. If the server is configured incorrectly, other people's sites may have access to your site's session files.

    But, as Stymiee said, storing the last 4 characters of the CC number can't do any harm.

  5. #5
    SitePoint Member
    Join Date
    Jun 2007
    Location
    Seattle
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey Immerse-

    Yeah, I('m pretty sure I) understand $_SESSION properly; I misspoke- I should have said "if anyone is listening in when it's set they can use the id to access any information you return to the user from the variable".

    So, if I could get a solid confirmation that the server is correctly setup to avoid any spying on my session variables, and I don't transmit the cc# back to the user at any point, I could conceivably store the cc# in the session variable for a time if I was sure to delete it immediately after I did what I wanted with it? That would make things smoother for the user if they have to go back and edit their shipping information and such...

  6. #6
    SitePoint Guru
    Join Date
    Dec 2005
    Posts
    982
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wouldn't store the full CC# in the SESSION file. If someone were to steal the session_id (often times stored in a cookie), they would then have the ability to get the full CC#. But you are 100% okay with saving the last 4 digits of a CC# in a SESSION (you could even do it in a cookie b/c those 4 numbers are practically worthless).
    MySQL v5.1.58
    PHP v5.3.6

  7. #7
    SitePoint Member
    Join Date
    Jun 2007
    Location
    Seattle
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by BrandonK View Post
    I wouldn't store the full CC# in the SESSION file. If someone were to steal the session_id (often times stored in a cookie), they would then have the ability to get the full CC#. But you are 100% okay with saving the last 4 digits of a CC# in a SESSION (you could even do it in a cookie b/c those 4 numbers are practically worthless).
    Well, this seems contrary to what Immerse has said- If I store the cc# in the $_SESSION id, but don't give a way for any of my scripts to pass it over the net, then could somebody access it with just a session id?

  8. #8
    SitePoint Enthusiast
    Join Date
    Jun 2007
    Location
    Bristol, England
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by andrew embassy View Post
    Well, this seems contrary to what Immerse has said- If I store the cc# in the $_SESSION id, but don't give a way for any of my scripts to pass it over the net, then could somebody access it with just a session id?
    Yes. Anything stored in the session will be accessible via the session id.

  9. #9
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,424
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    But only by the server side code.

  10. #10
    SitePoint Member
    Join Date
    Jun 2007
    Location
    Seattle
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stymiee View Post
    But only by the server side code.
    Right- so if my server side code gives no way to send that data to the user (just retains it for insertion into a db later on, for example) then the session id won't give access to all the data, unless the attacker is able to upload his own scripts to access it, correct?

  11. #11
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,424
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    Correct. And that's a whole different problem altogether.

  12. #12
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,653
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Yes, though you want to make sure you turn off PHP's sessions in urls option for security's sake.

  13. #13
    SitePoint Guru
    Join Date
    Dec 2005
    Posts
    982
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I still say that it's best to not do it. You may not see any reason for it now, but lets say down the road you inadvertently create a security hole. If all you have in your $_SESSION is the last 4, you don't have to worry about the massive fines and law suits if you stored the entire card number. In fact I'm sure PCI Compliance won't allow you to store the entire credit card.
    MySQL v5.1.58
    PHP v5.3.6

  14. #14
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,424
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    The last four digits of a credit card number has no value. That's why all receipts display them instead of the full credit card number. Even if it is publicly displayed without the other 11-12 digits and expiration date (and to a much lesser degree maybe even cvv and billing address) it is completely useless. It's just another number.

  15. #15
    SitePoint Member
    Join Date
    Jun 2007
    Location
    Seattle
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, the more I read the more I understand that there's really no way to completely secure the Session variable, and 9 times out of 10 there's no reason to store the whole number anywhere, so the possible benefit to UI isn't worth it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •