Do AJAX requests retain PHP Session info?

PhpAjaxSession

Php Problem Overview

If I had a user logged onto my site, having his id stored in $_SESSION, and from his browser he clicked a 'Save' button which would make an AJAX request to the server. Will his $_SESSION and cookies be retained in this request, and can I safely rely on the id being present in the $_SESSION?

Php Solutions

Solution 1 - Php

The answer is yes:

Sessions are maintained server-side. As far as the server is concerned, there is no difference between an AJAX request and a regular page request. They are both HTTP requests, and they both contain cookie information in the header in the same way.

From the client side, the same cookies will always be sent to the server whether it's a regular request or an AJAX request. The Javascript code does not need to do anything special or even to be aware of this happening, it just works the same as it does with regular requests.

Solution 2 - Php

If the PHP file the AJAX requests has a session_start() the session info will be retained. (baring the requests are within the same domain)

Solution 3 - Php

What you're really getting at is: are cookies sent to with the AJAX request? Assuming the AJAX request is to the same domain (or within the domain constraints of the cookie), the answer is yes. So AJAX requests back to the same server do retain the same session info (assuming the called scripts issue a session_start() as per any other PHP script wanting access to session information).

Solution 4 - Php

Well, not always. Using cookies, you are good. But the "can I safely rely on the id being present" urged me to extend the discussion with an important point (mostly for reference, as the visitor count of this page seems quite high).

PHP can be configured to maintain sessions by URL-rewriting, instead of cookies. (How it's good or bad (<-- see e.g. the topmost comment there) is a separate question, let's now stick to the current one, with just one side-note: the most prominent issue with URL-based sessions -- the blatant visibility of the naked session ID -- is not an issue with internal Ajax calls; but then, if it's turned on for Ajax, it's turned on for the rest of the site, too, so there...)

In case of URL-rewriting (cookieless) sessions, Ajax calls must take care of it themselves that their request URLs are properly crafted. (Or you can roll your own custom solution. You can even resort to maintaining sessions on the client side, in less demanding cases.) The point is the explicit care needed for session continuity, if not using cookies:

  1. If the Ajax calls just extract URLs verbatim from the HTML (as received from PHP), that should be OK, as they are already cooked (umm, cookified).

  2. If they need to assemble request URIs themselves, the session ID needs to be added to the URL manually. (Check here, or the page sources generated by PHP (with URL-rewriting on) to see how to do it.)

From OWASP.org:

> Effectively, the web application can use both mechanisms, cookies or > URL parameters, or even switch from one to the other (automatic URL > rewriting) if certain conditions are met (for example, the existence > of web clients without cookies support or when cookies are not > accepted due to user privacy concerns).

From a Ruby-forum post:

> When using php with cookies, the session ID will automatically be sent in the request headers even for Ajax XMLHttpRequests. If you > use or allow URL-based php sessions, you'll have to add the session id > to every Ajax request url.

Solution 5 - Php

It is very important that AJAX requests retain session. The easiest example is when you try to do an AJAX request for the admin panel, let's say. Of course that you will protect the page that you make the request to, not to accessible by others who don't have the session you get after administrator login. Makes sense?

Solution 6 - Php

One thing to watch out for though, particularly if you are using a framework, is to check if the application is regenerating session ids between requests - anything that depends explicitly on the session id will run into problems, although obviously the rest of the data in the session will unaffected.

If the application is regenerating session ids like this then you can end up with a situation where an ajax request in effect invalidates / replaces the session id in the requesting page.

Solution 7 - Php

That's what frameworks do, e.g. if you initialize session in Front Controller or boostrap script, you won't have to care about it's initalization either for page controllers or ajax controllers. PHP frameworks are not a panacea, but they do so many useful things like this!

Solution 8 - Php

put your session() auth in all server side pages accepting an ajax request:

if(require_once("auth.php")) {

//run json code

}

// do nothing otherwise

that's about the only way I've ever done it.

Categories
Recommended Php Solutions
Recommended Ajax Solutions
Recommended Session Solutions

Previous Solution:

A better similarity ranking algorithm for variable length strings

String MatchingRankingSimilarityFuzzy Search

Next Solution:

jQuery loop over JSON result from AJAX Success?

JqueryAjaxJson

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionAliView Question on Stackoverflow
Solution 1 - PhpthomasrutterView Answer on Stackoverflow
Solution 2 - PhpÓlafur WaageView Answer on Stackoverflow
Solution 3 - PhpcletusView Answer on Stackoverflow
Solution 4 - PhpSz.View Answer on Stackoverflow
Solution 5 - PhpBogdan ConstantinescuView Answer on Stackoverflow
Solution 6 - PhpJohnView Answer on Stackoverflow
Solution 7 - PhpAlexAView Answer on Stackoverflow
Solution 8 - Phpbrianabee7View Answer on Stackoverflow