When the first page is requested create a token, save it to a database
and send it sent as a javascript variable.
When you use ajax, use POST not GET and send the token back with the
ajax request.
Check the token exists in the database, if it does then delete it and
send the ajax page back.
The s
You can also check the HTTP_X_REQUESTED_WITH server variable. If the
page is requested via $.ajax then this will be set to "XMLHttpRequest"
but if it is requested straight through the browser, then it will not
exist.
On 23 апр, 21:51, donb wrote:
> If you are not familiar, you need to investiga
If you are not familiar, you need to investigate 'role based'
security. Users log in and are members of one or more security groups
(roles). Then, different areas of your application are granted access
to appropriate roles. This restricts access to only those users
having the correct role assig
Another thing, regarding the HTTP_REFERER, I personally don't use that
because it's easy to be manipulated and really browser dependent.
Also, there are a lot of tools out there that easily remove referrer
headers (to hide tracking) and would cause your application to break
for those users.
On Ap
Oh, one more thing. Use POST submission instead of GET if you don't
want direct access easily. It's more work to forge a POST request than
a GET request.
On Apr 23, 3:04 pm, James wrote:
> Sessions is probably the simplest way and should probably always be
> used whenever possible. Other additio
Sessions is probably the simplest way and should probably always be
used whenever possible. Other additional checks include checking the
HTTP Request Header, X-Requested-With, with the value
'XMLHttpRequest'. jQuery automatically sets this value for you when
doing AJAX, so all you need is a header
But if there is "bad" user which have login? So he can access to this
page. But I need protect it from auth and unauth users. From unauth
users of course I can protect it with SESSION, but how I can protect
it from auth users?
On 24 апр, 04:46, donb wrote:
> Session variables will be shared betw
Session variables will be shared between the ajax page and the calling
page. So, if you log in the user somehow and store a session variable
that indicates they are logged in, just check that the appropriate
variable exists.
On Apr 23, 8:30 pm, Colonel wrote:
> For example I have a page:http://
8 matches
Mail list logo
