Here's the problem. A user logs in and there data is sent securely. After this however, what is the best way to check a user's login when using ajax to retrieve another page. I want to make sure the user is logged in and who the user is so their content can be retrieved. Using a cookie, and sending that everytime seems to me like it wouldn't be secure. Is there a better way, perhaps HTTP or some use of Sessions in PHP?

Thanks for any help,
Dan

How is the session data identified at the server for a particular user? A session cookie sent with the request. If your concern is that someone will hack a cookie, there isn't much you can do aside from hoping it doesn't happen. I like to think that the algorithm for creating a session ID value is random enough that one can't come up with a combination that would actually work.

If you are concerned with storing user's data in a cookie, you can control it. Don't store an ID or (god forbid) password in a cookie for verification purposes. Store humanly meaningless and non-presumable information. Using an incrementing ID isn't the most ideal so you could use something more unspoofable such as a unique identifier (does PHP have such a thing like the Microsoft GUID?) Using the server based session should typically be enough.

-Peter

If a session is created using PHP, is there a way to send this session data via HTTP when accessing another PHP script using ajax? I've experimented a little bit and have been unable to have PHP find a session when it is loaded from ajax, it only works when the entire page is loaded and all HTTP headers are sent. Do you have any better suggestions for keeping a user "logged in"?

I live in a Microsoft ASP.NET world so that is all managed automatically by the ajax framework. Cookies are sent and received with the ajax requests by means of the normal behavior of the XMLHttpRequest object in the browser.

I would imagine that the first full page request should create the session in PHP. Any additional request sent by the http request object (even when called thru javascript) should send any cookies associated with the site which would provide you with your session identification. Perhaps PHP behaves differently however.

-Peter

Hmmm, I'll have to experiment a little more. Thanks for your help so far!

Firstly if you want secure passing of data then you'll have to use SSL/HTTPS for all the connections, however you pass data, by Ajax of traditional requests if you use HTTP it can be viewed easily if someone wants to. If you want to change protocols after login and revert to HTTP then you need to set a cookie when they are authenticated, it doesn't have to contain any important data, it's just a token to say they have logged in. It should be a large random number and you keep track of it server-side. You should also set the cookie to expire after a suitable time span.

--

Joe (Microsoft MVP - XML)

Well, I'm planning on using a cookie probably with some useless data to keep track. Just thinking though, would it be hard for a someone to duplicate a cookie, thereby making them a logged in user?

Well to duplicate a cookie, provided that you use a long random string, they would need administrator access to the machine where it was created. If they have that they can virtually do anything they want anyway.

--

Joe (Microsoft MVP - XML)