Re: PHP sessions, AJAX, authentication and security.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Angus Mann wrote:
> Hi all.
> 
> A question about PHP sessions and their interaction with AJAX.
> 
> I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access.
> 
> For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script.
> 
> It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication.
> 
> Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also.
> 
> I hope the explanation is clear.
> 
> Thanks in advance. 

same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..

if( !$_SESSION['is_logged_in'] ) {
  exit();
}
// do stuff

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux