10

I am using Ionic to build a login system on top of Codeigniter/Ion_Auth/codeigniter-restclient and when I try to login from "ionic server" the login works but the next api request to the logged_in() method returns false.

The same thing works properly when I point the browser to the www folder.

So here is the problem step by step:

  1. run ionic serve

  2. you see the login form (http://localhost:8100/#/app/login)

  3. enter email and pass

  4. the rest api returns "login successful"

  5. $state.go('app.profile') works and redirects to http://localhost:8100/#/app/profile

  6. REST get api/logged_in returns false and I redirect to the login page

If I do the same in a regular browser, step 1 becomes: open browser and go to http://localhost:8888/App/www/#/app/login, at step 6 REST get api/logged_in returns true and I don't get redirected to the login page, I stay on the profile page.

The code is the same. So my guess is that maybe ion_auth doesn't get the cookies it wants or the session is reseted. I am not sure at this point what the problem is. This is my first Ionic/App project so I might be missing something about the proper way to authenticate from a mobile app using code that works in browsers

Thank you

UPDATE: It seems that when using the 'ionic server' window every request to the API triggers a new session. The new session is stored in the database and ion_auth tests the logged_in against that last one, which doesn't contain the login details.

orbitory
  • 1,090
  • 5
  • 16
  • 40
  • is the question clear for you ? for me no. I tried several times to understand it but indeed, this is obscur. Please clarify what you have, what you tested, and what is your issue. – aorfevre May 20 '15 at 19:56
  • I added a step by step explanation, hopefully it helps – orbitory May 20 '15 at 20:13
  • explanation is much better like that. – aorfevre May 20 '15 at 20:18
  • how does you config your `cookie_domain` and `cookie_path` – Fu Xu May 29 '15 at 09:36
  • I use ion_auth library for codeigniter. ion_auth uses codeigniter session library that send cookies that should be sent back by the browser. These cookies are never sent so authentication using cookies only works once. The second request to the api to get some data triggers a new session because the cookies are not sent. The sessions are stored in db and when using a regular browser the call to the api after login doesn't trigger a new session – orbitory May 29 '15 at 18:36
  • Its still unclear. Title is still confusing. What does 'when I point to the www folder' means? In step 6 'REST get api/logged_in returns false and I redirect to the login page', what does this mean? You are redirected to profile page and right after that it redirects to login page? – Bipin Bhandari May 31 '15 at 02:36
  • A PhoneGap/Ionic project has a www folder that you can access within the browser; you don't have to run "ionic server". After a successful login I am redirected to the profile page part of the code that checks if the user is logged in by reading a cookie. Because the cookies set at login are not sent back with the new request to read the profile page I get redirected back to the login. So in order to make the login work I need to use something else, like local storage and send the data everytime I do an API request – orbitory Jun 01 '15 at 12:55

1 Answers1

2

you were taking about REST api and cookies and sessions. Cookies and sessions don't go with REST philosophy. Here is why.

Let me tell you how we accomplish this problem in our project. Basic way of knowing which user is requesting and if it has the access rights is by the 'Authorization' header value. You can use Basic Authentication, Barer or any other.

We generally prefer token based authorisation system. When a login is successful, server sends a token. In ionic app, we save it using a factory called SessionService. So whenever user logs in, token is stored and is used for every request. But token would be lost if user closes the app. So we can store it in local storage. User can then be directly redirected to dashboard until user logs out.

app.factory("SessionService", function($window){
    var user={};

    if ($window.localStorage['user']!=undefined){
        user=JSON.parse($window.localStorage['user']);
        console.log(user);
    }

    return{
        isLoggedIn:function(){
            return !isEmpty(user);
        },
        logout:function(){
            console.log("logout")
            user={};
            $window.localStorage.clear();
        },
        setUser:function(data){
            user=data;
            $window.localStorage['user']= JSON.stringify(user);
        }, 
        getUser:function(){
            return user;
        }
    }
})

Now in every web request, you can call SessionService.getUser().token when setting value Authorization header.

UPDATE:

Despite using cookies is not recommended, you can use it in your application easily.

If you are sending request with CORS, angular doesn't sends cookies with request. One of the way address this issue is to send withCredentials: true with every request:

$http({withCredentials: true, ...}).get(...)

Read further about this here.

Hope this helps!

Community
  • 1
  • 1
Bipin Bhandari
  • 2,694
  • 23
  • 38
  • While I agree that cookies are not the best way to work with APIs(and at this time I will probably try a local storage solution) it doesn't mean they were removed as functionality. Or were they? From my understanding cookies should work even if it's not recommended. – orbitory Jun 01 '15 at 13:00