. . "There is basically no need to encrypt such data as long as you store it in a session, because that data never reaches the client/browser/user, as it is all server-side." . .