dounang1974 2012-10-02 00:21
浏览 85
已采纳

将PHP session_id存储在MySQL中以进行AJAX授权?

Not too clear on how to authorize PHP AJAX calls with session_id or against any $_SESSION variables actually.

Should it be stored in the database upon login and referenced against a $_SESSION storage on each AJAX call?

I know these subjects have probably been discussed ad infinitum, but I can't seem to find a clear answer.

Thanks in advance!

Revelation

Wow, so authorization is limited to whether or not there's a session? Scary. Makes me wonder if that's all that .net's web.config's deny="?" is doing. Thanks all for your help!

  • 写回答

1条回答 默认 最新

  • duanhe6718 2012-10-02 00:29
    关注

    The session is always there because session data is server-side. As long as they have the cookie that grants them that session, they are considered an authorized user.

    In the beginning of the file being called through AJAX, just do something like this:

    <?php

session_start();
if(!isset($_SESSION['id'])) {
    exit;
}

?>

    Nothing will be executed beyond that point unless they have an active session.

    You can prevent people from accessing your AJAX files directly too, just add this:

    <?php

if(!isset($_SERVER['HTTP_X_REQUESTED_WITH']) OR ($_SERVER['HTTP_X_REQUESTED_WITH'] != 'XMLHttpRequest')) {
    exit;
}

?>

    Someone could still get around that, but it's better than nothing.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 ML307A在使用AT命令连接EMQX平台的MQTT时被拒绝
  • ¥20 腾讯企业邮箱邮件可以恢复么
  • ¥15 有人知道怎么将自己的迁移策略布到edgecloudsim上使用吗?
  • ¥15 错误 LNK2001 无法解析的外部符号
  • ¥50 安装pyaudiokits失败
  • ¥15 计组这些题应该咋做呀
  • ¥60 更换迈创SOL6M4AE卡的时候,驱动要重新装才能使用,怎么解决?
  • ¥15 让node服务器有自动加载文件的功能
  • ¥15 jmeter脚本回放有的是对的有的是错的
  • ¥15 r语言蛋白组学相关问题