Thanks in advance,
posted 10 years ago
The browser sends the requests using the same header as it would do for a normal request.
If the page that will be returned by the ajax request must pass by a session verification, it will send the session id through the kookies header.
This will prevent access to unauthorized pages.
The ajax response is like any server side response, and should be configured to be NOT cached and can also be a HTTPS page if needed.