1

The web framework I am using has cookie (or token) based authentication. When a user registers a postback occurs and the server places an authentication token inside of a cookie that attaches itself to the users browser. All subsequent requests include this token and are therefore secure in that sense.

My question: Do I have to do a full-page postback refresh after a user registers to get the auth-token placed on the users browser? Or could I simply have the server return an auth token (via ajax) on successful user registration (done via ajax as well)? I'd prefer the latter if possible.

thanks.

Improve this question
3
  • 1
    you answered yourself. Just return the auth token on successful registration and create an interceptor which change the user state on the client side. Commented Feb 17, 2014 at 11:03
  • @IlanFrumer any chance of putting your answer in a plunker? Commented Feb 17, 2014 at 17:24
  • @IIan Frumer What is an "interceptor" ? Commented Feb 17, 2014 at 18:37

1 Answer 1

Reset to default
1

If your framework gives back a token, you just have to add it to the headers for all subsequent requests.

Making this permanent requires additional code (ex: writing it in localStorage)

I don't know the Header that your framework wants :) but i can assume your login controller might look like this:

angular.module('coolModule', [])
.controller('CoolController', function ($scope, $http) {

  $scope.loginButton = function () {

    // assuming username and password are in the scope
    $http.post('/api/login', { $scope.username, $scope.password })
    .success(function (data, status, headers, config) {
      $http.defaults.headers.common['X-My-Token'] = data.token;
    });

  }
})

Subsequent requests will have a X-My-Token header, that usually works for identification

EDIT: Yes, setting a cookie (in javascript or from a server response) will make it get sent at every request (like all the cookies in this internet world)
If you are developing also the backend would be much more elegant make the backend send a cookie to the client, and not writing it manually as you commented ^_^

A cookie has some pros: like an expiration date, and some cons: reading it from javascript is not really elegant (usually requires a wrapper lib, angular-cookie, for browser compatibility).

In both cases when a cookie expires or the token is invalid (so you will receive a 40x response) you will have to handle the failure using some angular.js code

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Coltre, if I set it as a cookie won't it be included in every request? Couldn't I just use the setCookie('sess', token) function, after retrieving it via post? $.post('/register?user=' + user + '&pass=' + pass, function(token) { setCookie('sess', token); });
Would the session timeout's then work the same? Or would I have to catch 404's when the session expires and then logout the user via javascript? I guess, how do you detect an expired token?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.