At 9:30 PM +1000 11/21/09, Angus Mann wrote:
Hi all.
A question about PHP sessions and their interaction with AJAX.
I have a database containing sensitive information and users need to
log in to my PHP script and be authenticated before they are granted
access.
For one of the forms I would like to retrieve information using
AJAX, and some of that information is sensitive also. The request
from AJAX is handled by another, simpler PHP script.
It occurs to me that the AJAX handler could be used to bypass the
user authentication and a crafted request sent directly to the AJAX
handler to get information without authentication.
Can anyone offer some advice about how to piggy-back the
session/authentication data that the user originally used to the
AJAX so that only an authenticated user will get a valid response
from the AJAX handler? I know I could embed authentication
information into the web-page and send this with the AJAX request
but I'm interested to know if there are other methods also.
I hope the explanation is clear.
Thanks in advance.
Angus:
First, don't trust anything that comes from the client -- period.
Second, Ajax is just another way to send stuff to the server. When
the data gets to the server then authenticate and set a session
variable to indicate such. This is not rocket science, but if you
don't do it right you'll leave a crater.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
