proper way to craft an ajax call with php and auth

From a security standpoint, can someone give me a step-by-step (but very simple) path to securing an ajax call when logged in to PHP?

Example:

1. on the php page, there is a session id given to the logged in user.
2. the session id is placed dynamically into the javascript before pushing the page to the client.
3. the client clicks a "submit" button which sends the data (including the session id) back to t开发者_JAVA百科he php processing page.
4. the php processing page confirms the session id, performs the task, and sends back data

I'm stuck on how (and whether) the session data should be secured before sending it through an ajax request. I'm not building a bank here, but i'm concerned about so many ajax calls going to "open-ended" php pages that can just accept requests from anywhere (given that sources can be spoofed).

PHP can get the session data without you having to send a session ID via javascript. Just use the $_SESSION variable. If you want to check if a session exists you can just do

if(isset($_SESSION['some_val'))
   //do work son.

You'll need to use JavaScript to asynchronously pass user input back to the server, but not to keep track of a session.

Don't send your session data with javascript.

You don't need to (in most cases).

Just post the data with javascript and let PHP retrieve the session data from... the session.

Depends on how you setup your session data.

One simple example would be you have a session called username.

When PHP gets the request from javascript you can do: $_SESSION['username'] to retrieve the sessiondata.

This is a very simple example just to show how it can be done.

As noted above, you don't need to send any session identifiers out with your javascript, to the server an AJAX request is the same as any other request and it will know your session just fine. So basically, just don't worry about it, it's already taken care of.

It's another part of your question that worries me.

i'm concerned about so many ajax calls going to "open-ended" php pages that can just accept requests from anywhere

It worries me too; you shouldn't have any "open-ended" PHP pages hanging around at all. Every public .php script should have authentication and authorisation done. The easiest and most maintainable way to achieve this, IMHO, is to have a single controller script (e.g. index.php) that does authentication and authorisation then sends the request to an appropriate controller. Aside from this controller, all other scripts should be outside the document root so that they cannot be called directly.

This means that you only ever have to worry about authentication and authorisation in one place; if you need to change it, it only changes in one place. It means you don't need to worry about accidentally leaving some executable stuff in some library PHP file that's not meant to be called directly. It means you don't need to shag around with mod_rewrite rules trying to protect .php files that shouldn't be in the doc root at all.