I'm authoring a web app, and I want to use some AJAX functionality. The users log in via PHP, and they are verified page to page by a session variable (which stores their username). I want to write some PHP that alters a database, but I want to be sure that only authorized users can access the page, and that they can only delete items associated with their username (in the table). I want to have javascript asynchronously call the php page, but I don't know how to protect this page. I don't think I can rely on my session variable, because the user won't be directly calling the page. I don't want user A to be able to submit a request to delete an item belonging to user B. How can I secure this setup while still using AJAX? Thanks, Bret
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
