Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's 100% free, no registration required. Using AJAX to secure sessions and save messages I have been working with PHP sessions and login protected pages for some time, but I want to start using some AJAX for managing some actions inside login protected pages (easy way with jQuery). Here is what I want to do: The user logs in (classic no-AJAX method), and wants to submit a message. I make a request with AJAX to another page, where the session is checked and the message is saved. Here is how the start page looks: <?php session_name('NEWSESSION'); session_start(); session_regenerate_id(true); if(!$_SESSION['user_logged']){ header("location: login.php"); } $sessionTTL = time() - $_SESSION["timeout"]; if ($sessionTTL > SES_LENGHT) { session_destroy(); header("location: login.php"); } ?> <!-- page header and all other html things here --> <div id="returned_message"></div> <textarea id="message">TEST</textarea> <input type="" id="submit" value="Submit message"> <script> $("#submit").click(function(){ $.ajax({ type: 'POST', data: { action: 'submit_message', message: $("#message").val(); }, url: '/save.php', success: function(data) { $('#returned_message').html(data); } }); }); </script> And this is save.php where I send the request (and sends a "msg saved" alert): <?php session_name('NEWSESSION'); session_name('NEWSESSION'); session_start(); session_regenerate_id(true); if(!$_SESSION['user_logged']){ header("location: login.php"); } $sessionTTL = time() - $_SESSION["timeout"]; if ($sessionTTL > SES_LENGHT) { session_destroy(); header("location: login.php"); } $username = $_SESSION['user_username']; if($_POST["action"] == "save_message"){ /* PHP code for saving message */ echo "Message saved!"; } ?> Is this the right way to do this? And how vulnerable is this (is it more vulnerable than to do it with classic PHP methods, with no fancy AJAX things)? All suggestions are welcome. php security ajax session edited Jun 6 at 18:14 Jamal 13.7k 3 54 116 asked Nov 13 '12 at 21:44 SomeoneS 131 2 6 1 Answer Consider adding User Agent check Adding a User Agent check will add another layer of security. This will slow down Session Hijacking a bit. AJAX alone is not a security issue AJAX is no more vulnerable then regular access when it comes to sessions. SES_LENGHT is not defined The constant is not defined anywhere. Is your code snippet complete? SES_LENGHT answered Nov 13 '12 at 23:22 user555 313 1 9
Tnx for your answer. Regarding SES_LENGHT, it is defined in included file (just i removed that include to simplify example and make it more clear). SomeoneS Nov 14 '12 at 8:30