I am working on a module, that would be making a lot of async Ajax requests to the server for fetching bits of information as desired by the user. These Ajax calls would be answered by a normal PHP script outside the usual Drupal bootstrap.
For an example of what I mean, let me use the popular Marinelli theme. It rotates the banner at the top of page randomly. The image src for the 
is set to a php script that writes out a random image file from the server, and sets the headers accordingly.
I would be doing something similar (but writing out json in response to requests). Now I want to make sure that the user invoking this php script has rights to do it. And for this, I need the credentials of the currently logged-in user together with his/her access rights & permissions.
Now how can I do this without involving the performance penalty of a full Drupal bootstrap??
Comments
So a call will be made from
So a call will be made from the Drupal site to the ajax handler? In that case, why not check permissions ahead of time on the Drupal side and let the ajax script assume that if Drupal is sending the request the user has permissions?
If the concern is that someone could call the ajax script directly, without going through Drupal, Drupal could pass a hashed key that the ajax script could check to verify the call was coming from the Drupal site.
Does that cover what you're asking of have I misunderstood the problem?
That is exactly what I am
That is exactly what I am working upon now. I am passing an encrypted string which is verified in the Ajax handler. However, I thought it would be better if I can get the user info from Drupal.
It provides added benefits e.g. if a user's login cookie expires, Drupal would tell me that. However, in what you have suggested (and which is what I am currently implementing), once a user accesses that page which makes those ajax calls, if he does not navigate away from the page, he can use it for any time he/she desires. I know you can ask me to revalidate at regular intervals, but having access to core Drupal info would have helped in scenarios where a user is authorized by an admin for a task, but for some reason, the admin then unauthorizes him. If I can access Drupal info, I would be able to catch this immediately. However, if I dont, I would have to wait for that timeout which I may set.
In any case, Drupal would be string the login info in cookies only. Is there any way, I can extract what Drupal has stored in cookies??
It doesn't store the login
It doesn't store the login info in the cookie; it stores a session id in the cookie and the details of the session in the sessions table.
You could, I suppose, read the session id from the cookie, query the session table to the get the uid for that session and check to see that the session is still valid based on the timestamp, then query for permissions based on that uid, but every step in that direction more tightly binds your ajax to your Drupal and at some point you may as well just break down and bootstrap Drupal.