I have done this quite a few times lately, you shouldn't worry. Just have your session_start() and login security on the pages that you access with javascript aswell, they will have the same security as any other page. The sessionID is used for all requests to the server from the webbrowser, also from within a page from javascript. Which again means that you can use your validation scheeme on theese files aswell. As a side note, if your on a page the user spends much time on, having some Ajax functionality accually works like a little heartbeat / pulse, resetting the session time so that the user infact can spend more time on the same webpage without having to do some movement, :D regards, Kim Steinhaug - - - - - - - www.steinhaug.com ----- Original Message ----- From: "Bret Walker" <bret-walker@xxxxxxxxxxxxxxxx> To: "PHP-Users" <php-general@xxxxxxxxxxxxx> Cc: "Ivan Meyers" <imeyers@xxxxxxxxxxxxxxxx> Sent: Monday, August 22, 2005 9:57 PM Subject: AJAX coding and Sesisons > I'm authoring a web app, and I want to use some AJAX functionality. > > The users log in via PHP, and they are verified page to page by a > session variable (which stores their username). > > I want to write some PHP that alters a database, but I want to be sure > that only authorized users can access the page, and that they can only > delete items associated with their username (in the table). > > I want to have javascript asynchronously call the php page, but I don't > know how to protect this page. I don't think I can rely on my session > variable, because the user won't be directly calling the page. > > I don't want user A to be able to submit a request to delete an item > belonging to user B. How can I secure this setup while still using AJAX? > > Thanks, > Bret >
