Let’s think you have a shopping application with credit card payment ability. A user logs in and starts shopping. Is it ok to fetch his credit card number and password from database and save them to a session variable as soon as the user logs in to eliminate the need for future SQL queries in the next steps through which the user is going to complete his payment?
Please describe it when:
a) The connection is not secure
b) The connection is established under SSL security
The credit card application above is an example. I want to have an insight on the security of session variables.
As Dagon says, all session data typically resides on the server.
However, there are still a few pitfalls. First off, in many configurations session variables are stored in
/tmp/and owned by the web server process’s owner. In a shared hosting situation, it is conceivable that other users on the shared host manage to access the session data. Second, you can configure your own session handler, e.g. to store session data in a database. In that case, all the security concerns of that implementation have to be taken into account as well.Best not to store credit card data in the session data; just write it to a safe location and retrieve it by some sensible mechanism (e.g. database lookup) when actually needed.