Hey guys, one more quick question for any experts out there. I have a form that is submitted via jquery ajax, works perfectly (I tested), and uses a form token (I set a session variable and pass through form and check that the token is equal to the posted token to prevent csrf attacks, see below...). My question is that I defined my session variable on the form page and used php session_start() on the validation page, but I am not sure how $_SESSION['token'] is still defined if I am not actually posting to that page or physically accessing that page with my browser (I am sending an ajax call). How $_SESSI开发者_Go百科ON['token'] be defined on a remote page?
Ex. set variable
if (!isset($_SESSION['token']) and $session->logged_in)
{
$_SESSION['token'] = md5(uniqid(rand(), TRUE));
}
$token =$_SESSION['token'];
pass token through form in hidden input, then check
if ($_POST['token'] == $_SESSION['token']){
The session_id is passed from page to page via a cookie (in most cases, at least) -- by default, called PHPSESSID
.
The session extension uses that cookie to determine which session is associated to the current user.
Basically, there is nothing you have to do : PHP deals with loading and saving data from and to $_SESSION
automatically ;-)
For more informations, you can take a look at the Session Handling section of the PHP manual, and, more specifically :
- Passing the Session ID
session.use_cookies
and a couple of other related configuration directives
精彩评论