I’ve been messing with a script, and i’m now currently at the protection part.
Basically i cant manage to receive a $_session['username'] request.
I can not use cookies, as these can be faked. And it’s a pretty big security hole.
Is this a common issue?

(The non-ajax and ajax page have the same session-id, and yes. i do use session_start();)

If you know any good comment-scripts it would be appriciated if you would like to link! c: )

edit:
The user logs in, and the session is started.
Now i’m combining a page/post with a modified comment script. (found here: http://tutorialzine.com/2010/06/simple-ajax-commenting-system/ )
What i’ve done is that i made it work with multiple pages, and removed the user & password thing that was provided with the script.

The request is something similar to this:

$user = $_session[‘username’];

if(!($data[‘user’] = $user)){
$errors[‘error’] = $_session[‘username’]; //just to see if it can find the username
}

The above request returns a null value, but if i run “echo $_session[‘username’];” on the page that calls java, i get “powback”.

EDIT:
i couldn’t get this to work, but i made a bypass. I managed to insert $_session[‘username’] directly into the database with an other kind of validation. The current one was stupid… It should work properly now. Thank you!