Multi step form and dealing with sensitive data?

Question

I currently have a Multi step form set up in my CodeIgniter app and I am just wondering the best way to set it because it will hold sensitive data. At the moment I have a 5 page form which uses ajax to validate each step and then redirect to the next step. I have included a 'back' button on each step and the form is populated with the data they have just entered from db sessions I have created and I am just wondering if this is a wise thing to do or not? Or should I restrict them from not being able to go back to a previous step even though this may frustrate the user. I am destroying the sessions on form submit.

Thanks in advance :)

Answer 1

PHP sessions are very secure, assuming that you have full control over your server. In regards to security though, I would suggest only using AJAX over a secure connection, otherwise everything sent backwards forwards will be readable in plain text.

There are a few things to note when dealing with PHP sessions and security:

1. Ensure the correct permissions are given to the session files on disc.
2. Use SSL when authenticating users, but more importantly...
3. ... Regenerate the session ID every time the user logs in/out or gains privileges.
4. Store auth data in the session, not a cookie.