I'm setting up a Node.JS server, using Express, running on port localhost:3005. I've a client developed in AngularJS, running on port localhost:5000.
I set up a passport authentication. When I try with curl commands via a console, or via postman, everything works fine.
I'm calling the "/login" route (post), and then "/authrequired" to know if the user if authenticated. The server can identify the user thanks to a session cookie stored on the client-side. Everything works fine.
Indeed, each time I'm calling the server, the user is identified with the same session ID. For example : 84e3ff8a-b237-4899-aa1f-4a3d047e0c3f.
But, when I'm trying same routes with my web client application, it doesn't work. Each time I call the server, a new session ID is defined.
This is the headers request:
Host: 127.0.0.1:3005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: application/json, text/plain, */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:5000/
Content-Type: application/json;charset=utf-8
Content-Length: 33
Origin: http://localhost:5000
Connection: keep-alive
And this is the response:
HTTP/1.1 200 OK
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Content-Length: 76
ETag: W/"4c-UHE7wFwyy1/IvgicFsT1YzsRJZ4"
set-cookie: connect.sid=s%3A91e84b8a-63d2-4f01-b28b-882ce1cf1dd5.iIGDvmpU326AF34uAXg%2Bmy1ee28BUGw8TXrFBG0ogKc; Path=/; Expires=Fri, 28 Dec 2018 18:30:50 GMT
Date: Thu, 27 Dec 2018 18:30:50 GMT
Connection: keep-alive
As we can see, a set-cookie header exists. But when I look into the cookies storage of the browser, it doesn't exist. I think that's why the server cannot identify the client, because the client don't send the session cookie to the server.
This is my server configuration:
app.use(bodyParser.urlencoded({ extended: false }))
app.use(bodyParser.json())
app.use(cors())
app.use(express.static('data/images'))
app.use(cookieParser())
app.use(session({
genid: (req) => {
return uuid()
},
store: new FileStore(),
secret: 'test',
resave: false,
saveUninitialized: false,
cookie: {
secure: false,
httpOnly: false,
path: '/',
maxAge: 1000 * 60 * 60 * 24
}
}))
app.use(passport.initialize())
app.use(passport.session())
And this is my request from client side :
$http.post(self.url + '/login', {
idUser: $scope.name,
password: $scope.password
}, {
// withCredentials: true
})
I also add these two lines of configuration to my client app :
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
When I add the "withCredentials" option to true, I've an error from the web browser : Access to XMLHttpRequest at 'http://127.0.0.1:3005/login' from origin 'http://localhost:5000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I tried a lot of solutions from stackoverflow, but I failed.
I expect to have the same session ID in order to perform the authentication.
