In Ajax/PHP/MySQL/MyUserAccountSecureArea/SESSION[] communication...

is it like web site <> server the

Hybrid(like PhoneGap) App <> server???

needed send in every request to server user password, in the latter case?

https:// php ajax urls required?