...

View Full Version : Remove specific data from a persistent session?



Opally
08-29-2007, 04:31 PM
What would you suggest as a way to prevent particular form data from being stored in a persistent session (e.g. credit card data)? It should exist in the browser session, but go "poof" when the browser closes (or on some other event). The form data is cached in a session with an expiration date.

Should I:

1) make a separate session for the sensitive data, so that it isn't stored?

2) edit the actual session before it gets written to the server?

would like to hear some ideas and a snippet of code if #2.

thanks!

---Diana

aedrin
08-29-2007, 05:04 PM
Browser sessions are automatically cleared when the browser closes.

The problem is that the server doesn't know when the browser closes, hence it only does it when it hasn't been accessed in a certain amount of time. This is a setting in PHP (session.cache_expire, default is 180 minutes).

Creating a seperate session helps you in no way.

If you want to make it more secure, don't store it in a session. You shouldn't need to. If they use it to pay for something, use it on the next page.

If you really need to store it, consider storing it encrypted in a database, as it might be safer than being stored directly on the file system. Then again, if your SQL is poorly designed, it might be easier for them to read from the database.

You could also try reducing the expiration date of the session cache, but this might impact other users and their browsing experience.

It all depends on your quality of code. In the end you are best off not storing the number.

Opally
08-29-2007, 10:21 PM
Thanks for the reply, Aedrin.

I've been able to use

unset($_SESSION['sessionname']['fieldname']);
to clean out the values I don't want to write to the session.

That seems to be working.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum