Sessions Safety

[random1]

What kind of information is safe to put into $_SESSION?

 

Is it fine for things like the country (US), language (American English) etc of the user to be store in the session?

[chronister]

Most any information is "safe" to hold in a session. If it is sensitive, then you should probably destroy the session as soon as it is not needed any longer, but I use sessions to store a credit card and expiration from page to another page... and then destroy it after it is no longer needed.

 

I am not sure what other think on this topic... but I see no real problem with it.

 

Nate

[corbin]

Chronister, if you're on shared hosting and someone knew your site stored credit card numbers, he could read all of the sessions periodically and look for credit card numbers x.x.

[chronister]

the site is on VPS and I don't "store" them per say.... I use it to get the card number from the "enter billing info page", to the "confirm order page" and once the order goes through I destroy the session and unset that var.

 

Just out of curiosity is there a better way?? I don't store them in a database, but I guess a temp table could be used as a way to avoid sessions for that kind of info.

 

The entire "store" area is on SSL of course.

 

How do you do this sort of thing?

 

Nate