Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I know this has been asked before but I needed some clarification and confirmation.
I’ve been told when creating cookies, to use httponly to prevent XSS.
So my clarification is if I use httponly, will my php scripts accessed via ajax request still be able to determine my active php session (default: phpssessid) and retrieve my $_SESSION variables?
The thing is I didn’t design with httponly option and I’m concerned if adding that option will in any way affect the design of the script.
Thanks!
I’m not sure I get the question, but here’s a stab: you’d need to setup the session the same way on the script you’re calling from ajax as you did on your main page. For example, I have a single file I “include” in my main page, and anything I call from that page using ajax.
so, the top of my index.php has
same thing on the top of my ajax_helper.php file
the db.php file contains the mysql startup commands, session_start, and anything else that would be common to all pages on the site. That way, the session works anywhere.
I hope that makes sense and answers your question