I am working on implementing a basic login system using express and angularjs. The angular js application is running on a different server (grunt server localhost:9000), while the express app is running on a separate port. In my express app, I have configured the following headers:
app.all('/*', function(req, res, next) {
res.header("Access-Control-Allow-Origin", "http://localhost:9000");
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
res.header("Access-Control-Allow-Credentials", "true");
next();
});
My angular version is 1.0.7, which allows me to set defaults during the configuration step:
// Add COR ability
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
Also, setting withCredentials on the $http request:
$http({
method : "GET",
withCredentials : true,
url : apiEndpoint + '/session'
}, success);
After logging in through my app, a session is established and a cookie is visible in the response. By inspecting the chrome developer tools, I can confirm that the connect session cookie is being sent with the subsequent request (the session call above). However, on the server side, the req.session property remains empty. While one solution could be hosting the angular app within express to avoid these issues, I prefer to maintain separate projects/servers for each.
This shows the /session request, including the attachement of the connect session cookie: