The answer is yes:

答案是肯定的：

Sessions are maintained server-side. As far as the server is concerned, there is no difference between an AJAX request and a regular page request. They are both HTTP requests, and they both contain cookie information in the header in the same way.

会话在服务器端维护。就服务器而言，AJAX 请求和常规页面请求之间没有区别。它们都是 HTTP 请求，它们都以相同的方式在 header 中包含 cookie 信息。

From the client side, the same cookies will always be sent to the server whether it's a regular request or an AJAX request. The Javascript code does not need to do anything special or even to be aware of this happening, it just works the same as it does with regular requests.

从客户端，相同的 cookie 将始终发送到服务器，无论是常规请求还是 AJAX 请求。Javascript 代码不需要做任何特殊的事情，甚至不需要意识到这种情况的发生，它的工作方式与常规请求相同。

What you're really getting at is: are cookies sent to with the AJAX request? Assuming the AJAX request is to the same domain (or within the domain constraints of the cookie), the answer is yes. So AJAX requests back to the same server do retain the same session info (assuming the called scripts issue a session_start() as per any other PHP script wanting access to session information).

您真正了解的是：cookie 是否与 AJAX 请求一起发送？假设 AJAX 请求是到同一个域（或在 cookie 的域约束内），答案是肯定的。因此，返回到同一服务器的 AJAX 请求确实保留了相同的会话信息（假设被调用的脚本按照任何其他想要访问会话信息的 PHP 脚本发出 session_start() ）。

If the PHP file the AJAX requests has a session_start()the session info will be retained. (baring the requests are within the same domain)

如果 AJAX 请求的 PHP 文件具有session_start()会话信息，则将保留会话信息。（除非请求在同一个域内）

Well, not always.Using cookies, you are good. But the "can I safely rely on the id being present"urged me to extend the discussion with an important point (mostly for reference, as the visitor count of this page seems quite high).

嗯，并非总是如此。使用cookies，你很好。但是“我可以安全地依赖存在的 id 吗”促使我用一个重要的观点来扩展讨论（主要是为了参考，因为这个页面的访问者数量似乎相当高）。

PHP can be configured to maintain sessions by URL-rewriting, instead of cookies. (How it's good or bad(<-- see e.g. the topmost comment there) is a separate question, let's now stick to the current one, with just one side-note: the most prominent issue with URL-based sessions -- the blatant visibility of the naked session ID -- is not an issue with internal Ajax calls; but then, if it's turned on for Ajax, it's turned on for the rest of the site, too, so there...)

PHP 可以配置为通过 URL 重写而不是 cookie 来维护会话。（它是好是坏（<-- 参见例如最上面的评论）是一个单独的问题，现在让我们坚持当前的问题，只有一个旁注：基于 URL 的会话最突出的问题 - 公然裸会话 ID 的可见性——不是内部 Ajax 调用的问题；但是，如果它为 Ajax 启用，它也会为站点的其余部分启用，所以...）

In case of URL-rewriting (cookieless) sessions, Ajax calls must take care of it themselvesthat their request URLs are properly crafted. (Or you can roll your own custom solution. You can even resort to maintaining sessions on the client side, in less demanding cases.) The point is the explicit careneeded for session continuity, if not using cookies:

在 URL 重写（无 cookie）会话的情况下，Ajax 调用必须自己处理它们的请求 URL 是否正确制作。（或者您可以推出自己的自定义解决方案。您甚至可以在客户端维护会话，在要求不高的情况下。）重点是会话连续性所需的明确注意，如果不使用 cookie：

1. If the Ajax calls just extractURLs verbatim from the HTML (as received from PHP), that should be OK, as they are already cooked (umm, cookified).

2. If they need to assemblerequest URIs themselves, the session ID needs to be added to the URL manually. (Check here, or the page sources generated by PHP (with URL-rewriting on) to see how to do it.)

1. 如果 Ajax 调用只是从 HTML（从 PHP 接收到的）逐字提取URL，那应该没问题，因为它们已经被煮熟了（嗯，cookified）。

2. 如果他们需要自己组装请求 URI，则需要手动将会话 ID 添加到 URL。（查看此处，或由 PHP 生成的页面源代码（启用 URL 重写）以了解如何执行此操作。）

From OWASP.org:

来自OWASP.org：

Effectively, the web application can use both mechanisms, cookies or URL parameters, or even switch from one to the other (automatic URL rewriting) if certain conditions are met (for example, the existence of web clients without cookies support or when cookies are not accepted due to user privacy concerns).

实际上，Web 应用程序可以同时使用两种机制、cookie 或 URL 参数，甚至在满足某些条件时（例如，存在不支持 cookie 的 Web 客户端或当由于用户隐私问题而接受）。

From a Ruby-forumpost:

来自Ruby 论坛帖子：

When using php with cookies, the session ID will automatically be sent in the request headers even for Ajax XMLHttpRequests. If you use or allow URL-based php sessions, you'll have to add the session id to every Ajax request url.

当使用带有 cookie 的 php 时，即使对于 Ajax XMLHttpRequests，会话 ID 也会自动在请求头中发送。 如果您使用或允许基于 URL 的 php 会话，则必须将会话 ID 添加到每个 Ajax 请求 url。

It is very important that AJAX requests retain session. The easiest example is when you try to do an AJAX request for the admin panel, let's say. Of course that you will protect the page that you make the request to, not to accessible by others who don't have the session you get after administrator login. Makes sense?

AJAX 请求保留会话非常重要。最简单的例子是当您尝试为管理面板执行 AJAX 请求时，比方说。当然，您将保护您提出请求的页面，其他人不能在管理员登录后访问您获得的会话。说得通？

put your session() auth in all server side pages accepting an ajax request:

将您的 session() auth 放在接受 ajax 请求的所有服务器端页面中：

if(require_once("auth.php")) {

//run json code

}

// do nothing otherwise

that's about the only way I've ever done it.

那是我做过的唯一方法。

One thing to watch out for though, particularly if you are using a framework, is to check if the application is regenerating session ids between requests - anything that depends explicitly on the session id will run into problems, although obviously the rest of the data in the session will unaffected.

但是需要注意的一件事，特别是如果您使用框架时，是检查应用程序是否在请求之间重新生成会话 id - 任何明确依赖于会话 id 的内容都会遇到问题，尽管显然其余数据在会议将不受影响。

If the application is regenerating session ids like this then you can end up with a situation where an ajax request in effect invalidates / replaces the session id in the requesting page.

如果应用程序像这样重新生成会话 ID，那么您最终可能会遇到这样的情况，即 ajax 请求实际上使请求页面中的会话 ID 无效/替换了会话 ID。

That's what frameworks do, e.g. if you initialize session in Front Controller or boostrap script, you won't have to care about it's initalization either for page controllers or ajax controllers. PHP frameworks are not a panacea, but they do so many useful things like this!

这就是框架所做的，例如，如果您在 Front Controller 或 boostrap 脚本中初始化会话，您将不必关心页面控制器或 ajax 控制器的初始化。PHP 框架不是灵丹妙药，但它们可以做很多这样的有用的事情！