I have created a nodejs-expressjs application for the backoffice and i use angularjs for the frontpage.
On nodejs (localhost:3000) i use:
- express
- cookie-parser
- express-session
On the app.js (server side) i init the cookieparser and session like so:
..
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "http://localhost:4000");
res.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, DELETE');
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
res.header("Access-Control-Allow-Credentials", "true");
next();
});
app.use(cookieParser());
app.use(express.static(path.join(__dirname, 'app')));
app.use(session(
{
key: "mycookiesession",
secret: credentials.cookieSecret,
resave: false,
saveUninitialized: false,
cookie: { maxAge: 900000, httpOnly: false }
}
)//session
);//app.use
Route localhost:3000/business/auth
business.auth = function(req,res){
if(!req.body.username || !req.body.password)
{
res.status(400);
res.send({status:'error',msg:'Username or password is missing.'});
}
var user = ownerModel.authUser(req.body.username, req.body.password, req.session.id);
user.then(function(user){
if(!_.isEmpty(user)){
req.session.username = user.username;//save username to session
req.session.ownerId = user.ownerId;//save ownerid to session
res.status(200);
res.json({status:'success',msg:'user logged n.',sessionId:req.session.id});
}else{
res.status(401);
res.json({status:'error',msg:'User doesn\'t exist.'});
}
}, function(){
res.json({status:'error',msg:'Error occured while fetching login data from database.'});
});
};
Route localhost:3000/products/5
router.get('/:appId', helpers.isAuthenticated, products.list); // products:appId
products.list = function(req, res){
console.log('REQUEST TO GET PRODUCTS (productsController)');
var prod = productModel.list(req.params.appId);
prod.then(function(products){
res.send(products);
}, function(){
res.send({status:'error',error:'Error occured while fetching data from database.'});
});
};
angular localhost:4000/#/business/auth
I use the 'restangular' module to make the requests to the server. This works ok, it sends the credentials and it logins.
Problem1: after the login, when i open new tab on the browser to call the products (from angular) , localhost:4000/#/products/5 it sends different sessionid and i get 'not authorized' and also the session.username & session.ownerId that i had assigned previously on login, they are undefined now.
Problem2: it s not stable, sometimes the session (when call products/5) is the same and it fetches products but most times it doesnot.
Postman: when i use postman, it works login and products and orders etc, but i call the server url, like so: localhost:3000/business/auth, localhost:3000/products/5 etc.
Should i save somewhere the sessionid ? Shouldnt be sent always the same sessionid from the client to the server on each request? Should i send the sessionid from the server to the client?