Angus Mann wrote:
Hi all.
A question about PHP sessions and their interaction with AJAX.
I have a database containing sensitive information and users need to log in
to my PHP script and be authenticated before they are granted access.
For one of the forms I would like to retrieve information using AJAX, and
some of that information is sensitive also. The request from AJAX is handled
by another, simpler PHP script.
It occurs to me that the AJAX handler could be used to bypass the user
authentication and a crafted request sent directly to the AJAX handler to get
information without authentication.
Can anyone offer some advice about how to piggy-back the
session/authentication data that the user originally used to the AJAX so that
only an authenticated user will get a valid response from the AJAX handler? I
know I could embed authentication information into the web-page and send this
with the AJAX request but I'm interested to know if there are other methods
also.
I hope the explanation is clear.
Thanks in advance.
same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..
if( !$_SESSION['is_logged_in'] ) {
exit();
}
// do stuff
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
