Two way session for shipping cart

This is what I'm trying to accomplish, I'm just wondering what is the best method to achieve it.

I have a standard e-commerce site. When the customer browse the site his cart content are stored in a session var. The cart is NOT stored in the database unless the customer checkout.

Now, sometimes a customer calls in to the call center before he actually places an order. He then asks questions about his cart - I want the agents on the other side to be able to extract the cart content.

I was thinking on encrypting the session ID on the customer side and then presenting the "cart id" on the cart page for the customer to give the agent over the phone. I will then decrypt the session id and the a开发者_如何学运维gent will be able to access the cart content directly in the cart.php page.

My questions are:

1. Is this safe? No where along the way I store the customer's personal information in the session. Only the cart contents.
2. What would be my best encrypting method here?
3. Is there a simpler way to achieve this?

Is there a simpler way to achieve this?

Yup.

Store the user's cart in the database, give it an ID, and then use that ID as the token given over the phone. Try to avoid using a sequential ID here, for privacy and guessability purposes.

PHP session data is hard to work with, because it's kind of serialized data, but not quite. You'll be much better served by storing the cart in the database.

Of course, because sessions expire, carts should as well. Store the last-modified date with the cart, and occasionally clean up carts that could not possibly still belong to active sessions.