Can't make Ajax login to RESTful server

Question

I'm trying to setup a login system using ajax.

After the user inserts his login and password in subdomain.domain.com (which could also be otherdomain.com) I make a Jquery $.post request to rest.domain.com and the user gets properly logged in.

Then, if I make another request to rest.domain.com to check if the user is logged (or to make other operations that required the user to be logged in) the session is empty.

What am I doing wrong?

EDIT

Client app

$.post('http://rest.domain.com/user/login',form,function(data){
   //Do what is needed
});

RESTful app (using Slim and uFlex)

header('Access-Control-Allow-Origin: *');
session_start();

//User
//Check if logged
$app->get('/user/logged', function () use ($user, $app){
    print_r($_SESSION);
    echo $user->signed;
});

//Login
$app->post('/user/login', function () use ($user, $app) {
    $username = isset($_POST['email']) ? $_POST['email'] : false;
    $password = isset($_POST['password']) ? $_POST['password'] : false;
    $auto = isset($_POST['auto']) ? $_POST['auto'] : false;

    $user->login($username,$password,$auto);

    if($user->signed){
        print_r($_SESSION);
    }else{
        //Display Errors
        foreach($user->error() as $err){
            echo "<b>Error:</b> {$err} <br/ >";
        }
    }
});

Is it the same web app? What server are you using? web api? servicestack? — Elger Mensonides, Apr 06 '13 at 08:57
Can you give more details how you are handling the session? are you using $_Session[] or saving to database? — CodePorter, Apr 06 '13 at 08:57
@Elger - In fact I have two web apps. The server and the client. And they are set in a standard Linux shared environment. — Robyflc, Apr 06 '13 at 09:00
@CodePorter - I'm handling sessions using $_SESSION. I'm using uFlex for the authentication. — Robyflc, Apr 06 '13 at 09:01
Like codeporter said, how are you handling your sessions then? If more than 1 app, you need to store your session in a database or something. — Elger Mensonides, Apr 06 '13 at 09:03

score 2 · Answer 1 · answered Apr 06 '13 at 09:01

2

I think you are violating the Same Origin Policy. You cannot make Ajax requests to different domains, or at least that's what the SOP stipulates. So that's something you should look at.

After you do the above procedure, use the browser to inspect the cookies stored. The cookies are stored on a per sub-domain basis, so your PHP_SESSID cookie,(if you are using $_SESSION), may exists on the wrong sub-domain.

Can you provide more insight on how you are storing the session?

Regardless of the above, it's best to direct all Ajax requests to the same target ajax.php file on the same sub-domain, protocol, etc..(all the rules of the SOP) and route the request on server level.

answered Apr 06 '13 at 09:01

flavian

28,161
11
65
105

I'm using CORS not to violate it and to assure I can't create a RESTful server. Strangely no Session cookie is being stored at all. The server stores it in a session using the uFlex class. – Robyflc Apr 06 '13 at 09:03
You could allow those cross domain requests by setting the headers allow-origin policy in the webserver. – Elger Mensonides Apr 06 '13 at 09:04
I did it much before I had this problem so I'm sure the issue isn't related. – Robyflc Apr 06 '13 at 09:05

score 0 · Answer 2 · edited May 23 '17 at 12:21

Your session is likely stored in cookies bound to rest.domain.com.

See this thread: Why is jquery's .ajax() method not sending my session cookie?

In order to support this kind of authentication, you either have both the REST APIs and the Web site on the same domain, or you define a session authentication based on headers (that you can control) exchanged between the client and the server.

For example, after you perform the initial authentication, you could generate a random session-id (not PHP session-id) and the next-request-id and send it back to the client via HTTP headers.

Client-side you would read the session-id and next-request-id and use it for subsequent request to the REST APIs.

The REST APIs would check for the session-id and next-request-id and validate it. If valid the request is authenticated. In the response the same session-id and a new next-request-id are sent back to the client.

To avoid 3rd parties tampering the session, if a request-id is used twice the session-id should be invalidated.

In order to reuse the session-id across page changes, you can store both in the browser localStorage.

score 0 · Accepted Answer · answered Apr 12 '13 at 18:57

Although it's totally possible to make cross domain ajax requests, these requests don't set the necessary cookies to keep a valid session, for security reasons.

In my case the software design allowed me to remove all the cross domain requests and replace them to make it work.

If that wasn't the case, I think the best solution would be to rely on OAuth as most of the 'serious' RESTful apis do.

Can't make Ajax login to RESTful server

3 Answers3