Why doesn't the login session "stick" when login in using "ionic serve" window but works when I point the browser to the www folder?

Question

I am using Ionic to build a login system on top of Codeigniter/Ion_Auth/codeigniter-restclient and when I try to login from "ionic server" the login works but the next api request to the logged_in() method returns false.

The same thing works properly when I point the browser to the www folder.

So here is the problem step by step:

1. run ionic serve

2. you see the login form (http://localhost:8100/#/app/login)

3. enter email and pass

4. the rest api returns "login successful"

5. $state.go('app.profile') works and redirects to http://localhost:8100/#/app/profile

6. REST get api/logged_in returns false and I redirect to the login page

If I do the same in a regular browser, step 1 becomes: open browser and go to http://localhost:8888/App/www/#/app/login, at step 6 REST get api/logged_in returns true and I don't get redirected to the login page, I stay on the profile page.

The code is the same. So my guess is that maybe ion_auth doesn't get the cookies it wants or the session is reseted. I am not sure at this point what the problem is. This is my first Ionic/App project so I might be missing something about the proper way to authenticate from a mobile app using code that works in browsers

Thank you

UPDATE: It seems that when using the 'ionic server' window every request to the API triggers a new session. The new session is stored in the database and ion_auth tests the logged_in against that last one, which doesn't contain the login details.

Answer 1

you were taking about REST api and cookies and sessions. Cookies and sessions don't go with REST philosophy. Here is why.

Let me tell you how we accomplish this problem in our project. Basic way of knowing which user is requesting and if it has the access rights is by the 'Authorization' header value. You can use Basic Authentication, Barer or any other.

We generally prefer token based authorisation system. When a login is successful, server sends a token. In ionic app, we save it using a factory called SessionService. So whenever user logs in, token is stored and is used for every request. But token would be lost if user closes the app. So we can store it in local storage. User can then be directly redirected to dashboard until user logs out.

app.factory("SessionService", function($window){
    var user={};

    if ($window.localStorage['user']!=undefined){
        user=JSON.parse($window.localStorage['user']);
        console.log(user);
    }

    return{
        isLoggedIn:function(){
            return !isEmpty(user);
        },
        logout:function(){
            console.log("logout")
            user={};
            $window.localStorage.clear();
        },
        setUser:function(data){
            user=data;
            $window.localStorage['user']= JSON.stringify(user);
        }, 
        getUser:function(){
            return user;
        }
    }
})

Now in every web request, you can call SessionService.getUser().token when setting value Authorization header.

UPDATE:

Despite using cookies is not recommended, you can use it in your application easily.

If you are sending request with CORS, angular doesn't sends cookies with request. One of the way address this issue is to send withCredentials: true with every request:

$http({withCredentials: true, ...}).get(...)

Read further about this here.

Hope this helps!