Detecting Ajax in PHP and making sure request was from my own website

Question

I use my PHP back-end to detect AJAX requests by checking for a value in $_SERVER[\'HTTP_X_REQUESTED_WITH\'].

This gives me a reliable detection, making

Answer 1

Really, the most secure way to do this is to, as you suggested, use server-side sessions, as these cannot be crafted as cookies can.

Granted, someone can still hijack a session ID, but if you also store the user's IP address in their session and check it on each request, you can weed out a lot of hijacks. Only someone on the same LAN or proxy could hijack it.

Any other method mentioned--cookies, javascript, http referer--depends on client-side data, which is insecure and should always be suspected of being fake, forged, hijacked and maliciously constructed.