Is it secure to do this?

[ballhogjoni]

Is it it safe and secure to save credit card info in a session and then send that info to google checkout through their xml api?

[boo_lolly]

i am working on a project right where i am writing a shopping cart that will completely be handled using sessions. no database whatsoever. along with the items in the shopping cart, the user's credit card and address information will also be stored in session variables.

 

a few things to consider. first, PHP stores session variables in the 'tmp' directory. this directory should be outside the root HTML directory that stores your website pages. second, make sure you serialize() your sensitive session data. third, beyond all of this, i would still highly recommend acquiring an SSL certificate from either verisign or instantssl.

[ballhogjoni]

Thank fo rthe reply. I am using an SSL right now.

 

A few questions. How do you change the tmp directory? Then make sure your session data gets stored in tmp directory after you move it outside the root HTML directory?

[drewbee]

the temp directory is changed in the PHP INI (configuration) file.

[boo_lolly]

drewbee is right. you can change the path in the php.ini file.

[rcorlew]

You can also change the /tmp directory using ini_set like this:

 

<?php
ini_set(session.save_path = "/where/to/tmp");

 

Keep it above your public html directory though.

[ballhogjoni]

Thanks for your replies.

 

Another question or two. Would the code look something like this

serialize($_SESSION['email'] = $_POST['email']

when you serialize()?

[ballhogjoni]

anybody?

[boo_lolly]

more like:

$_SESSION['email'] = serialize($_POST['email']);

[ballhogjoni]

thx