View Full Version : Remove specific data from a persistent session?

08-29-2007, 05:31 PM
What would you suggest as a way to prevent particular form data from being stored in a persistent session (e.g. credit card data)? It should exist in the browser session, but go "poof" when the browser closes (or on some other event). The form data is cached in a session with an expiration date.

Should I:

1) make a separate session for the sensitive data, so that it isn't stored?

2) edit the actual session before it gets written to the server?

would like to hear some ideas and a snippet of code if #2.



08-29-2007, 06:04 PM
Browser sessions are automatically cleared when the browser closes.

The problem is that the server doesn't know when the browser closes, hence it only does it when it hasn't been accessed in a certain amount of time. This is a setting in PHP (session.cache_expire, default is 180 minutes).

Creating a seperate session helps you in no way.

If you want to make it more secure, don't store it in a session. You shouldn't need to. If they use it to pay for something, use it on the next page.

If you really need to store it, consider storing it encrypted in a database, as it might be safer than being stored directly on the file system. Then again, if your SQL is poorly designed, it might be easier for them to read from the database.

You could also try reducing the expiration date of the session cache, but this might impact other users and their browsing experience.

It all depends on your quality of code. In the end you are best off not storing the number.

08-29-2007, 11:21 PM
Thanks for the reply, Aedrin.

I've been able to use

to clean out the values I don't want to write to the session.

That seems to be working.