First, it's a POST so the data in the URL (GET) doesn't do anything. Second, you can check the content-type in the headers, a JSON request is "application/json".
Third, session tokens are always a good idea. On Oct 1, 2010, at 4:58 PM, hairbo wrote: > I'm not 100% sure how to phrase this, so apologies if this post gets > wordy or confusing... > > Is there any standard way to ensure that data received on an AJAX post > page does, in fact, come to that page via an AJAX request? I could > imagine somebody coming to a site that handles login via AJAX, popping > open Firebug, figuring out what the AJAX post page is for the login > request, and then navigating directly to that page in a browser, > throwing params in the URL, just to see what might happen. > > Without being able to articulate exactly why, I'd say this sounds like > a "bad" thing. Is there any sort of a token one passes from an AJAX > post in JS back to the server for authentication? > > Does my question even make sense? > > Thanks in advance.
