Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Feb 2006
    Location
    Charlottesville, VA
    Posts
    94
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Remove specific data from a persistent session?

    What would you suggest as a way to prevent particular form data from being stored in a persistent session (e.g. credit card data)? It should exist in the browser session, but go "poof" when the browser closes (or on some other event). The form data is cached in a session with an expiration date.

    Should I:

    1) make a separate session for the sensitive data, so that it isn't stored?

    2) edit the actual session before it gets written to the server?

    would like to hear some ideas and a snippet of code if #2.

    thanks!

    ---Diana

  • #2
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    Browser sessions are automatically cleared when the browser closes.

    The problem is that the server doesn't know when the browser closes, hence it only does it when it hasn't been accessed in a certain amount of time. This is a setting in PHP (session.cache_expire, default is 180 minutes).

    Creating a seperate session helps you in no way.

    If you want to make it more secure, don't store it in a session. You shouldn't need to. If they use it to pay for something, use it on the next page.

    If you really need to store it, consider storing it encrypted in a database, as it might be safer than being stored directly on the file system. Then again, if your SQL is poorly designed, it might be easier for them to read from the database.

    You could also try reducing the expiration date of the session cache, but this might impact other users and their browsing experience.

    It all depends on your quality of code. In the end you are best off not storing the number.

  • #3
    New Coder
    Join Date
    Feb 2006
    Location
    Charlottesville, VA
    Posts
    94
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Thanks for the reply, Aedrin.

    I've been able to use
    PHP Code:
    unset($_SESSION['sessionname']['fieldname']); 
    to clean out the values I don't want to write to the session.

    That seems to be working.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •