What level of confidential information can I save in a $_SESSION variable?

Question

Let's think you have a shopping application with credit card payment ability. A user logs in and starts shopping. Is it ok to fetch his credit card number and password from database and save them to a session variable as soon as the user logs in to eliminate the need for future SQL queries in the next steps through which the user is going to complete his payment?

Please describe it when:
a) The connection is not secure
b) The connection is established under SSL security

The credit card application above is an example. I want to have an insight on the security of session variables.

Answer 1

Even though session variables is stored on the server, the only real security is the session-cookie which if compromised, would allow any other visitor to start the same session,, hence be able to see the page in the same way as the original visitor.

The session-cookie is just a random string generated by PHP, and is viewable in plain text (unless you use SSL) for any "man in the middle" thus making it possible to hijack another persons session.

Storing any kind of sensitive data is in every way a potential security issue, that is why you today need PCI-DSS certified hosting and environment in order to process credit card information. This applies even though you never "store" it on your server, as long as the information flow through your equipment you will need to be compliant with PCI-DSS regulation.

The reason for this is that it would always be available at some time on the computers memory, and a compromised computer could potentially have malicious software that could identify that data and spread it for bad intentions.

Answer 2

As Dagon says, all session data typically resides on the server.

However, there are still a few pitfalls. First off, in many configurations session variables are stored in /tmp/ and owned by the web server process's owner. In a shared hosting situation, it is conceivable that other users on the shared host manage to access the session data. Second, you can configure your own session handler, e.g. to store session data in a database. In that case, all the security concerns of that implementation have to be taken into account as well.

Best not to store credit card data in the session data; just write it to a safe location and retrieve it by some sensible mechanism (e.g. database lookup) when actually needed.