This was covered in a security presentation at OWASP last Thursday >From a security and hacker view point, after POS is completed (via 3rd party >like DPS), .... can the redirect from the POS site be intercepted/held up so that the session cart can have a few more items added to it before continuing the redirect back to your site.
Are you doing some user validation/sanity checks before writing session to the DB. (PS also be aware of SQL injection) Encrypting the cookie would help. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of nicolaas Sent: Thursday, 15 July 2010 6:45 To: NZ PHP Users Group Subject: [phpug] ecommerce cart in database or in session Hi Folk Are there any arguments for or against the use of session for saving cart information before committing it to a database (usually at the moment of sale confirmation)? For: * less database clutter * faster? Against: * more code * less information on potential sales is retained in database Other things to consider are: * can save some stuff, but not all * security / privacy matters * database maintenance / clean up procedures * length of session * ?????? I am welcoming any comments, for and against, just curious to know if there are any "best practices" in this area. -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] please consider the environment before you print this email ########################################################################################## The views expressed in this e-mail and any corresponding attachments do not necessarily reflect those of the Health Research Council of New Zealand. This e-mail together with any accompanying attachments may be confidential and subject to legal privilege. If you have received this message in error, please notify the sender immediately and note that you may not copy, disclose or use the content in any way Thank You. ########################################################################################## -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
