Do AJAX requests retain PHP Session info

Question

If I had a user logged onto my site  having his id stored in   SESSION  and from his browser he clicked a  Save  button which would make an AJAX request to the server  Will his   SESSION and cookies be retained in this request  and can I safely rely on the id being present in the   SESSION

User · Answer

It is very important that AJAX requests retain session  The easiest example is when you try to do an AJAX request for the admin panel  let s say  Of course that you will protect the page that you make the request to  not to accessible by others who don t have the session you get after administrator login  Makes sense

User · Answer

The answer is yes   Sessions are maintained server-side   As far as the server is concerned  there is no difference between an AJAX request and a regular page request   They are both HTTP requests  and they both contain cookie information in the header in the same way   From the client side  the same cookies will always be sent to the server whether it s a regular request or an AJAX request   The Javascript code does not need to do anything special or even to be aware of this happening  it just works the same as it does with regular requests

User · Answer

What you re really getting at is  are cookies sent to with the AJAX request   Assuming the AJAX request is to the same domain  or within the domain constraints of the cookie   the answer is yes  So AJAX requests back to the same server do retain the same session info  assuming the called scripts issue a session start   as per any other PHP script wanting access to session information

User · Answer

Well  not always  Using cookies  you are good  But the  can I safely rely on the id being present  urged me to extend the discussion with an important point  mostly for reference  as the visitor count of this page seems quite high    PHP can be configured to maintain sessions by URL-rewriting  instead of cookies   How it s good or bad   lt -- see e g  the topmost comment there  is a separate question  let s now stick to the current one  with just one side-note  the most prominent issue with URL-based sessions -- the blatant visibility of the naked session ID -- is not an issue with internal Ajax calls  but then  if it s turned on for Ajax  it s turned on for the rest of the site  too  so there      In case of URL-rewriting  cookieless  sessions  Ajax calls must take care of it themselves that their request URLs are properly crafted   Or you can roll your own custom solution  You can even resort to maintaining sessions on the client side  in less demanding cases   The point is the explicit care needed for session continuity  if not using cookies    If the Ajax calls just extract URLs verbatim from the HTML  as received from PHP   that should be OK  as they are already cooked  umm  cookified   If they need to assemble request URIs themselves  the session ID needs to be added to the URL manually   Check here  or the page sources generated by PHP  with URL-rewriting on  to see how to do it       From OWASP org      Effectively  the web application can use both mechanisms  cookies or   URL parameters  or even switch from one to the other  automatic URL   rewriting  if certain conditions are met  for example  the existence   of web clients without cookies support or when cookies are not   accepted due to user privacy concerns     From a Ruby-forum post      When using php with cookies  the session ID will automatically be sent in the request headers even for Ajax XMLHttpRequests   If you   use or allow URL-based php sessions  you ll have to add the session id   to every Ajax request url

User · Answer

That s what frameworks do  e g  if you initialize session in Front Controller or boostrap script  you won t have to care about it s initalization either for page controllers or ajax controllers  PHP frameworks are not a panacea  but they do so many useful things like this

User · Answer

put your session   auth in all server side pages accepting an ajax request   if require once  auth php         run json code        do nothing otherwise   that s about the only way I ve ever done it

User · Answer

If the PHP file the AJAX requests has a session start   the session info will be retained   baring the requests are within the same domain

User · Answer

One thing to watch out for though  particularly if you are using a framework  is to check if the application is regenerating session ids between requests - anything that depends explicitly on the session id will run into problems  although obviously the rest of the data in the session will unaffected   If the application is regenerating session ids like this then you can end up with a situation where an ajax request in effect invalidates   replaces the session id in the requesting page

[php] Do AJAX requests retain PHP Session info?

Examples related to php

Examples related to ajax

Examples related to session