Node.js CORS session cookie with Angular.js

Question

I am making a simple login using Node.js with CORS and Angular.js.

That is --- client.example.com is making a POST too api.example.com/login where on success a session cookie is returned too client.example.com and can gain access too a GET service like api.example.com/secret protected by the session cookie.

Making GET requests that aren't protected by a session cookie isn't a problem.

Ultimately, the goal here is too authenticate a client side app to a REST api using CORS with a local stradegy --- i.e. username & password --- even if the convention above isnt possible.

I can not find a working implimentation to learn from anywhere --- point me in the right direction?

Bonus: Show a working example.

Answer 1

Your problem is very simple, browsers do not allow sending cookies set in one domain to be sent to a different domain.
This is for security. If your session cookie was accessible from any domain, then any site could perform csrf (by definition, what you want is to do csrf - use the session from one site in a different site).

There are ways around it, though you should be careful when applying them.

• Easiest way is by using Jsonp to login and make cross-domain requests, jsonp basically breaks the cookies cross-domain policies.
  

• You can embed an iFrame in client.example.com page that sits in api.example.com, the parent and the iFrame can communicate using post message.

Both ways are open to csrf requests (by their very nature), so you should be extra careful in what information you allow client.example.com to access.