PHP Protecting from Session Fixation/Hijacking

Question

I'm maintaining a low-traffic shop website that stores credit card numbers in the database. This isn't right (or even legal I believe), so I'm changing the way the numbers are stored.

The way the site is structured, the credit card information page posts to itself, validates data, stores the data in the db, and then redirects the user to a cc verification page where the cc is verified and the order is place. After that, they are redirected again to an order completion page. Anyway, to get the cc number from the cc info page to the verification page, I was thinking about using session, but I'm worried about vulnerabilities and am trying to look into them (I'm reading this ref. and this one). I can store the cc number in session, retrieve it on the next page, use it, and unset() it, and it is gone within seconds (also note, these pages use SSL). Something like:

cc info page:

session_start();
$_SESSION['card_number'] = $_POST['cardnumber']; //please tell me if there are vulnerabilities here setting directly from $_POST
...
header(sprintf("Location: %s", $insertGoTo));

cc verification page:

session_start();
//retrieve $_SESSION['card_number']
unset($_SESSION['card_number']);

Only the card# is being stored in session, the rest of cc info is in the database. Though I don't think someone can do much with just the cc#, it should still be secured as much as possible.

Given I use session.use_trans_sid = 0 and session.use_only_cookies = 1 (where session identifiers are only handled through cookies and not URLs (not sure why I need both)), and given my use of this specific session variable, is this code vulnerable to session fixation? Would it be beneficial to regenerate the session ID (after or before?) I set the cc# in session in this case? I'm guessing yes, and since the protocol is SSL by this point, I'm also guessing that once the session has been regenerated, I'm protected as far as the SSL will get me?

So, my main question is, following these guidelines with my site, would a skilled attacker have a reasonably difficult time fixating/hijacking session to get a user's cc# for the amount of time it exists (roughly 3-15 seconds)? If not, how, if possible, can I get it to that point?

Answer 1

Even if the session was hijacked, the person could only get the CC number if your script is allowing the user to see the CC number, or there is a dump of the session on your site.

Also keep in mind that it can be unlawful to store CC numbers in a database in plaintext. If your worried about data theft, be sure to encode or encrypt all sensitive data.

Good luck!

Answer 2

You should never store the card number at all. By default PHP stores the session in a file on your machine. If your machine was compromised someone could steal the credit card numbers from the session file.

What you should be doing is taking all the information and passing it straight to a credit card processor like Authorize.Net or using a service that allows the user to pay on a domain hosted by the service and then returns them to you with an auth code so you know they paid (PayPal has such a service, I know they aren't the best but there are others)

Capturing the information at all requires you to have at least some level of PCI compliance. Storing the card information at all requires a much higher level.

There's tons of stuff out there about PCI. Here's the wiki on it: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard