hello everyone,
I just thought about the security on the site im building and I use a lot of ajax applications on it, the problem im having is storing the session value where i call the javascript. For example:
Code:
onclick="post_comment('your_id');
you could easily just write someone else id to make it look like someone else is posting the comment. I fixed this by adding a session for the username also so it looks like this:
Code:
onclick="post_comment('your_id','your_username');
And then in the php code I check if the username match with the id and if it doesnt it wouldnt post the comment, although if you know what id and username a user have you could still fake it.. So I just looked at youtubes ajax applications and found out that they use this:
Code:
<code> .... session_token=<long string with my unique "session_token"> ...<more code>
So im just wondering if its possible to somehow post the session "key" or content instead of the value.. if not is there another safe way to do this?