4

Currently I have a website that used node.js, express.js as the backend API server and passport.js for authentication. When the user login with their credentials the server will start a session and keep the user session in req.user or req.session.passport.user (Please correct me if I stated this incorrectly..)

Later when you GET /loggedin it just res.json(req.user) and gives you the user information. On the client we can simply GET /loggedin in every request to check the login status and user info.

This is working on a browser. But when I am trying to do the same thing on mobile it appears that the device cannot establish a session with the server. which mean GET /loggedin returns 401 unauthrorized.

So I was wondering if I am doing something wrong?

Shih-Min Lee
  • 9,350
  • 7
  • 37
  • 67

1 Answers1

4

ok I'll answer my own questions here.

after you login with express backend server the server will send you a response, check the response header and verify there's a field called

"set-cookie"="connect.sid=s.xxxxxxxxxxxxxxxxxxxxxxxxxx"

when a browser sees the "set-cookie" field in the response header it will try to write this info into a cookie.

Next check your local cookies and see if there's a cookie named: connect.sid with value s.xxxxxxxxxxxxxxxxxxxxxxxxxx, if yes then when you send requests to the server the server will most likely know who you are already.

This should be true for browsers, however mobile devices are not that smart, which means you have to manually get this string

"connect.sid=s.xxxxxxxxxxxxxxxxxxxxxxxxxx"

into a request header so the server can verify your identity using the token you provide.

Shih-Min Lee
  • 9,350
  • 7
  • 37
  • 67