current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
stack overflow careers
Sign up ×
Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute:
up vote 0 down vote favorite

I am fairly new to AngularJS

I have a resource that I use for user management which is part of a service following this article.

Once sending the login request to the server I am getting a response with a set-cookie as part of the header.

What is the best practice to add this cookie to every request I am sending to the server?

myApp.factory('UserService', ['$resource', function ($resource) {
    var userRes = $resource('http://<MyDomain>/api/v1/user/:param',
        {param: '@param'},
        {
            login: {
                method: 'POST'
            },
            logout: {
                method: 'DELETE'
            }
        });

    var user;
    return {
        signIn: function () {
            user = userRes.login({param: 'login'}, {"email": "[email protected]", "password": "test1"});
            userRes.get({param: '1'});
        },

userRes.login has set-cookie header in on the response userRes.get does not send the cookie that was just received.

Cheers

share|improve this question
    
It should be attached automatically. – Stewie Dec 26 '13 at 19:35
    
@Stewie - I would think so but it does not. I have updated my question and added a code snippet. – special0ne Dec 26 '13 at 20:06
    
Is angular hosted at the same domain as API? – Stewie Dec 26 '13 at 21:12
    
@Stewie No, I am working on this code from my localhost and making calls to a our Server API. Does it mean that I have to deploy it to see if it actually works? – special0ne Dec 26 '13 at 21:17
    
Well, you got yourself a problem of sharing a cookie across different domains. Cookies are, by default, bound to the issuer domain. The bottom line is that Angular does not care and does not need to know about your cookies. Cookies are sent automatically, by the agent (browser), if domains are matching. – Stewie Dec 26 '13 at 21:25

1 Answer 1

up vote 1 down vote

Since your API is in a different domain you can't use cookies in this case. We've tried and we failed to put it simple there is no way, not only it doesn't work with CORS but also it doesn't work if you embed an iframe. The iframe trick fails on safaris mostly but it is not reliable.

What we usually do is to return a JWT (Json Web Token) from the API and attach a header then to every API request as Authorization: Bearer JWT.

This JWT can be decoded using a public key from the front end (and it will contain the user profile) and validad with a private key in the backend.

JWT is simple and there are plenty of libraries for every language/technology.

Auth0 is an authentication broker that can validate with any identity provider or custom databases, and it returns JWTs using standars. It provides a clientID that can be used to decode the profile in the front end and a secret to validate the tokens in the backend as well as client side library to do this.

Disclaimer: I work for auth0.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.