AJAX security questions

Question

I was hoping to clear up some questions I have been having with AJAX security. So here is a scenario I am trying to wrap my head around.

Lets say I am using AJAX to request some semi-sensitive material to the page. For instance, I am going to pass the user's ID to a php file, and return some information about themselves. Now, what is keeping someone from emulating this Javascript request, and passing different ID's to the PHP script?

• Is there anything the server does to keep this from happening?
• Does the DOM recognize Javascript which was 'originally' in place,
  or written by the server, as opposed to client side Javascript?
• What are some more security issues when using AJAX to request sensitive material?
• I am using suPHP, does this have any affect in situations like this?

Answer 1

An Ajax call is exactly identical to any other HTTP request that you make except that it's asynchronous (it doesn't reload the web browser). So you should be using whatever authentication you currently employ on your web site.

This could either be Windows integrated security, cookies, etc. Basically your PHP script just has to verify that the request is coming from a valid user of your application.