How can AJAX validate user?

When user is on the page you can use session or cookies to check who is he.

But when AJAX is used, for example, for sending an answer, sending page have no contact with user. How can it check is it real registered user, or just spambot sending this by headers?

What is the common pract开发者_JS百科ice for AJAX user validation?

AJAX requests contain the same cookies like regular requests. Besides that you can send any arguments like session IDs with the AJAX request.

Actually, for the server it makes absolutely no difference if a request is made through an XmlHttpRequest object or not. Most frameworks add an X-Requested-With: XMLHttpRequest header though but that's completely optional.

So.. whatever means you use to pass your session data, simply ensure it's also available to the script called with your AJAX request:

• If you have a session id passed via GET/POST, include it in your request's arguments.
• If cookies are needed, ensure they are send to the file. If it's in the same folder like the current file or a descendant of it you are usually safe. If it's on another (sub-)domain you might get problems - not only with cookies but alsowith cross-domain AJAX which usually isn't allowed due to the same-origin policy browsers have.