In fact, I advised Aurthur not to store exactly that (credit card information) in sessions for this reason - but I also think there are few things that are as sensitive as credit card information, passwords, and social security numbers.
- Trevor On 9/23/10 2:24 PM, Ryan Lane wrote: >> As far as I know, yes. MediaWiki sets a session cookie with an ID that >> uniquely identifies the session. The session data itself is stored in >> some session storage (by default we let PHP handle it, on WMF we stick >> it in memcached, I believe). So unless there's some ridiculous >> vulnerability allowing people to obtain the value of arbitrary keys in >> $_SESSION, you should be fine AFAIK. >> > The contents of that session on the server are unencrypted, correct? > Depending on what the secret is, he may or may not want to use it. For > instance, that is probably a terrible place to put credit card numbers > temporarily. > > -- Ryan Lane > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
