jcanker Posted September 23, 2010 Share Posted September 23, 2010 I'm new to AJAX (but worked with PHP) and exploring ways to make the site I'm going to build a touch more secure. Each php page called will verify login/logged in status info to ensure that the page isn't somehow being run as a "standalone" page by someone accessing the php page directly. (Additionally, everything will use POST, and the GET array will be wiped at the start of the script.). A big part of my concern is to NOT require a user that he has cookies enabled, which then makes $_SESSION work more difficult. Since I don't want to pass the sessionID back and forth in a hidden form and I'm not using GET, I thought, "Why not just store the the SessionID as a var in the returned data when the user first logs on and reference the session in subsequent calls if necessary? It also seems to me that I could store the username and password as variables to hash as required. This way it never requires a cookie in case they have it disabled and I don't have to worry about cookie security lapses, such as shared PCs, etc. Am Im just missing a massive security hole here? Why isn't this routinely done? Quote Link to comment https://forums.phpfreaks.com/topic/214234-username-or-session-as-variable/ Share on other sites More sharing options...
gamesmstr Posted September 24, 2010 Share Posted September 24, 2010 There is no need to pass session data back and forth. As session is stored in the active browser session and is not subject to post or get methods. I assign a session variable to a user's email address and then use that to query my database for their other information... this information is loaded in aver pave and is all based on that session variable. Quote Link to comment https://forums.phpfreaks.com/topic/214234-username-or-session-as-variable/#findComment-1114882 Share on other sites More sharing options...
jcanker Posted September 24, 2010 Author Share Posted September 24, 2010 Maybe I need to catch up a bit with php5's features then. I thought the session ID was stored in a cookie on the user's machine and if they had cookies turned off (or it was disabled in php.ini) you had to take other measures, such as passing it through the URL as _GET. Am I wrong or did it change in php5? Maybe I've been staring at AJAX books and tutorials too much today, but I'm not visualizing what you mean by passing the session variable to a user's email address. Quote Link to comment https://forums.phpfreaks.com/topic/214234-username-or-session-as-variable/#findComment-1114894 Share on other sites More sharing options...
trq Posted September 24, 2010 Share Posted September 24, 2010 Nothing has changed in php5, gamesmstr did not take into account the fact that you are indeed trying to use sessions without cookies enabled. Without cookies enabled you will need to pass some form of identifyer around with each request. You have no way of recognizing a user without it. Quote Link to comment https://forums.phpfreaks.com/topic/214234-username-or-session-as-variable/#findComment-1114914 Share on other sites More sharing options...
jcanker Posted September 24, 2010 Author Share Posted September 24, 2010 Okay, so back to the original question then: Can I accommplish that by passing the sessionid back in the xml, making it a javascript var, and including it in the POST data when subsequent PHP request is made? Quote Link to comment https://forums.phpfreaks.com/topic/214234-username-or-session-as-variable/#findComment-1114959 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.