Problem
If a user was signed into my site and his id was kept in $_SESSION, and he clicked a ‘Save’ button from his browser, the browser would send an AJAX call to the server. Will his $_SESSION and cookies be preserved in this request, and can I rely on the presence of the id in the $_SESSION?
Asked by Ali
Solution #1
Yes, that is true:
Server-side sessions are maintained. There is no difference between an AJAX request and a standard page request from the server’s perspective. They’re both HTTP requests, and their headers contain cookie information in the same way.
Whether it’s a standard request or an AJAX request, the same cookies will always be transmitted to the server from the client. The Javascript code does not need to do anything unusual or even be aware that this is happening; it just responds to queries as usual.
Answered by thomasrutter
Solution #2
Session information will be preserved if the PHP file handling the AJAX requests has a session start() function. (Unless the requests are coming from the same domain)
Answered by Ólafur Waage
Solution #3
What you’re really asking is whether or not cookies are sent with the AJAX request. Yes, assuming the AJAX request is made to the same domain (or within the cookie’s domain limitations). As a result, AJAX calls to the same server keep the same session information (provided the called scripts execute session start() like any other PHP script requesting session information).
Answered by cletus
Solution #4
Not always, to be sure. You’re doing fine if you’re using cookies. However, the question of “can I safely rely on the id being present” prompted me to add a crucial element to the conversation (mostly for reference, as the visitor count of this page seems quite high).
Instead of cookies, PHP can be programmed to preserve sessions through URL rewriting. (While the question of whether it is good or harmful (— see, for example, the topmost comment there) is a distinct one, let us now focus on the current one, with only one side.) -note: the most visible issue with URL-based sessions — the naked session ID’s exposure — isn’t an issue with internal Ajax calls; but then, if it’s turned on for Ajax, it’s turned on for the rest of the site, so there…)
Ajax calls must ensure that their request URLs are properly formed in the case of URL-rewriting (cookieless) sessions. (Alternatively, you can create your own bespoke solution.) In less demanding instances, you can also maintain sessions on the client side.) The idea is that, if cookies aren’t used, special care is required for session continuity:
From OWASP.org:
From a Ruby-forum post:
Answered by Sz.
Solution #5
It’s critical that AJAX requests save their state. For example, let’s imagine you’re trying to make an AJAX call for the admin panel. Of course, you’ll make sure that the page you’re requesting isn’t available to anyone who doesn’t have the session you obtain after logging in as an administrator. Does that make sense?
Answered by Bogdan Constantinescu
Post is based on https://stackoverflow.com/questions/676846/do-ajax-requests-retain-php-session-info