Encrypt a Session Object

Question

First off: I'm working on an e-commerce site that will accept credit cards. In order to get from the "Enter your information" page to the "Confirm your information" page, I need to store the credit card information somewhere that it can be retrieved before it ultimately gets sent to the payment gateway.

I'm currently leaning towards storing it as a session variable. That being said, my question is:

1. Am I committing some well-known security faux pas by storing this in the session?
2. Is a session object global? If two people submit their information at the same time, could one person's session get returned for the other person's transaction?
3. Is there a common way in .NET to encrypt/decrypt session objects for extra security?

Answer 1

Requesting the credit card is the last step in the sales process. But if you want to encrypt it, use symmetric AES (rinjdael) encryption. In order to use a very difficult to guess key create it randomly and store it at session too. If you are using cookie-less session none of the two will get out of the server until you want it.

There are version of AES libraries for almost any language. In .NET there are included into the System.Security.Cryptography

using System.Security.Cryptography;

Answer 2

From a ui/workflow standpoint, there really isn't any need to store the credit card information or confirm it. If it is wrong, it won't be approved. Most e-commerce sites request the credit card number as the last step after confirming address, phone etc.

As for session, session is global to the particular session. It is not shared by other users and in general, there isn't any way to get at the data in other sessions. As such, no need to encrypt it since it is stored on the server.

If you stored sensitive information in ViewState or passed it over the QueryString, you would definately need to encrypt it.