I am working on a login system that I want to work like this:
Attempt to post when not logged in pops up an alert with u/p fields -> submit u/p ajax hits login route -> successful login sets 'logged in' cookie -> attempt to post again now succeeds. all without a page reload.
It seems I have hit a roadblock though with all this CORS/cross-domain-access-control because I am using dynamic subdomains and XHR requests.
You could be anywhere.mysite.com and have to ajax crossdomain to user.mysite.com/login to login.
In order for login() to be allowed to set the cookie you have to specify your origin (no '*' wildcard), set a 'Access-Control-Allow-Credentials = true' header, and submit the ajax with a 'xhrFields: {'withCredentials': true}' parameter. I can get this to work.
My problem is the dynamic domains. Its not possible to set every possible subdomain in the accepted Origins list. Is there any possible way to have it accept .mysite.com as the origin so all subdomains.mysite.com pass?
This post lists the possibility of setting the document.domain = "company.com"; in an iframe to achieve this kind of functionality, but i'm not sure where in my login flow above i would insert an iframe or how that would even work...
Any thoughts?
