Angus Mann wrote:
> Hi all.
>
> A question about PHP sessions and their interaction with AJAX.
>
> I have a database containing sensitive information and users need to log in
> to my PHP script and be authenticated before they are granted access.
>
> For one of the forms I would like to retrieve information using AJAX, and
> some of that information is sensitive also. The request from AJAX is handled
> by another, simpler PHP script.
>
> It occurs to me that the AJAX handler could be used to bypass the user
> authentication and a crafted request sent directly to the AJAX handler to get
> information without authentication.
>
> Can anyone offer some advice about how to piggy-back the
> session/authentication data that the user originally used to the AJAX so that
> only an authenticated user will get a valid response from the AJAX handler? I
> know I could embed authentication information into the web-page and send this
> with the AJAX request but I'm interested to know if there are other methods
> also.
>
> I hope the explanation is clear.
>
> Thanks in advance.
same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..
if( !$_SESSION['is_logged_in'] ) {
exit();
}
// do stuff
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
