Correct, the key would be stored in the DB and be user specific. While I agree that storing the session in the DB as well would be a nice bit of added security, it wouldn't avoid the problem, as I would still need to store ccs in there encrypted as well.. Also, how does https protect session information? I'm not aware it does that, but then again, I'm here asking questions out of ignorance in the first place.. ;)
Have a great day everybody, and thanks for the advice. Daniel On Jun 13, 5:14 pm, James <[EMAIL PROTECTED]> wrote: > Why do you assume the key is in the session? If I were going to > encrypt something and put it in the session, the key sure would not be > along with it, I would use data specific to the user (each user has > their own key). based on things like username/zipcode/ipaddress > probably a mashup of 3 bits of personal information that not everyone > would be able to get. > > James > > On Jun 13, 2008, at 2:58 PM, Nathanael D. Noblet wrote: > > > > > Richtermeister wrote: > >> Hi all, > > >> your points are well taken, and I'm not trying to put the cc numbers > >> into a database for the very same reason.. > >> I do, however, have to put it into the session as part of the > >> checkout > >> process, before I even get to use a payment gateway (after that it'll > >> get obfuscated right away, and I only store the last 4 digits, > >> yes..). > >> Since session files are non-encrypted, > >> and the system may at some point run on a shared server, I would like > >> to encrypt at least the number before I put it in. > > >> Sounds good? > > > What is stopping them from decrypting them? If they can read the > > session > > files, they can read the key to decrypt as well. My suggestion would > > be > > to store the sessions in a DB, so they aren't readable by anyone who > > can't login to your DB with your credentials. Though I guess they can > > read your connection file... I just wonder if there really is a way to > > store this safely... > > > -- > > Nathanael d. Noblet > > Gnat Solutions, Inc > > T: 403.875.4613 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
