Hi all.

A question about PHP sessions and their interaction with AJAX.

I have a database containing sensitive information and users need to log in to 
my PHP script and be authenticated before they are granted access.

For one of the forms I would like to retrieve information using AJAX, and some 
of that information is sensitive also. The request from AJAX is handled by 
another, simpler PHP script.

It occurs to me that the AJAX handler could be used to bypass the user 
authentication and a crafted request sent directly to the AJAX handler to get 
information without authentication.

Can anyone offer some advice about how to piggy-back the session/authentication 
data that the user originally used to the AJAX so that only an authenticated 
user will get a valid response from the AJAX handler? I know I could embed 
authentication information into the web-page and send this with the AJAX 
request but I'm interested to know if there are other methods also.

I hope the explanation is clear.

Thanks in advance. 

Reply via email to