You could use a one time token on each request
Bastien
Sent from my iPod
On Nov 21, 2009, at 6:30 AM, "Angus Mann" <angusmann@xxxxxxxxx> wrote:
Hi all.
A question about PHP sessions and their interaction with AJAX.
I have a database containing sensitive information and users need to
log in to my PHP script and be authenticated before they are granted
access.
For one of the forms I would like to retrieve information using
AJAX, and some of that information is sensitive also. The request
from AJAX is handled by another, simpler PHP script.
It occurs to me that the AJAX handler could be used to bypass the
user authentication and a crafted request sent directly to the AJAX
handler to get information without authentication.
Can anyone offer some advice about how to piggy-back the session/
authentication data that the user originally used to the AJAX so
that only an authenticated user will get a valid response from the
AJAX handler? I know I could embed authentication information into
the web-page and send this with the AJAX request but I'm interested
to know if there are other methods also.
I hope the explanation is clear.
Thanks in advance.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
