Now I think securing ajax calls, sometimes normal forms with a token is pretty common. It works like this. 1) The user requests a page 2) a token is put into the html, and into the session 3) on submit these values are checked.

Now one major obstacle I am facing with this is caching. I do not have a lot of changing content, so I want to be able to cache for at least 24 hours. On the other hand, I do some ajax calls on the front-end, and good practice is to have them a little secured.

Now I was thinking of this, but I do not know if it will work. Maybe you can help.

• user requests a site, and the cached site is given.
• On the site, the first ajax call is made, which only asks a token
• In the backend, a token is generated, stored in the session and sent to the front-end
• The token is stored in a var in the frontend, and now sent with every call
• On every call we check the session and the given token
• If they match we do our DB stuff, if not we make a call to the FBI
• The FBI takes over the case

Just kidding about the last part. But will this work, because you are not sending a piece of the actual website.

Maybe you can make it a little smarter by storing an identifier of the form the user requests.

Actually, I have no idea if this will work, I actually doubt it. Maybe someone can explain to me why this will not work.