Sails.js creates new session on each call

Question

I have a Sails.js (v0.12.0) app that serves only as an API. A single page app makes ajax calls to the endpoints in this app.

The route 'PUT /login' is used to authenticate the user and in my controller I set req.session.authenticated = true.

The policies.js file includes '*':['isAuthenticated'] for all other functions on my controller. This policy is very simple:

module.exports = function isAuthenticated(req, res, next) {
  if (req.session.authenticated) {
    return next();
  }
  return res.forbidden('You are not permitted to perform this action.');
};

When I inspect the value in Redis ("connect-redis": "^3.0.2") I can see the values I set on the session object.

Subsequently, when calling 'GET /profile', it passes the policy since the user is authenticated.

This works locally with the sails app and Redis on my dev machine (ubuntu) and using Postman, also locally (i.e. everything on localhost domain).

The problem comes in when deploying the app to our soon-to-be production system. The UI is a php app running on Apache that serves all the web content for the site.

Some parts of this front-end app use our sails.js backend, which runs on a second server, e.g. http://1.1.1.1/index.php is loaded and from this single page app ajax calls are being made to http://1.1.1.2/login etc. There is no domain registered yet, we just use the two IP addresses for now while testing. The ip's used here are just examples.

When calling /login in the sails app, the user is authenticated and the session is updated, which can be seen to be correct using redis-cli. (Redis is also running on the node/sails box).

The next call to /profile fails with a 403 (due to the policy). In the request header I can see Origin being http://1.1.1.1 and the cookie contains the sails.sid and the response contains Set-Cookie, but with a different sails.sid.

In redis-cli I can see that a new session is created for the second call, so it appears that the call to /profile is somehow not using the same session.

The call from the browser:

$http({
  method: 'GET',
  url: 'http://1.1.1.2/profile',
  withCredentials:true
})
.then(function (response) {
  console.log(response);
});

In cors.js, I have

module.exports.cors = {
  allRoutes: true,
  origin: 'http://1.1.1.1,http://1.1.1.2',
  credentials: true,
  methods: 'GET, POST, PUT, DELETE, OPTIONS, HEAD',
  headers: 'content-type'
};

As I understand, this should allow calls coming from http://1.1.1.1 to http://1.1.1.2 yet the initial session is not used again and any calls to any endpoints that are subject to the isAuthenticated policy fail with 403.

Since everything "works on my machine" I suspect that there is a problem with my config somewhere regarding the two domains.

Any help will be greatly appreciated.

Answer 1

Please make sure you have same secret key for both of your apps in config : session.js

module.exports.session = { secret: '123abc', ...  }

Answer 2

Turns out tokens are the answer when dealing with multiple domains. Start here: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/