How to configure CodeIgniter and Ion Auth with front and back ends into different domains










1















I'm working on a modernization of and old CodeIgniter Application. By separateing the application in front and back ends.



The new Front end is an angular SPA application. The backend still uses a of CI application. The CI uses Ion_Auth to authorize users.



Everything works fine if both are into the same domain, for instance localhost



The problem is that each part must be on different url domains, ie.:



  • Frontend - localhost:8081, in the future will be example.com

  • Backend - localhost:8082, in the future will be api.example.com

This way Ion Auth is able to log-in users, but when I query if user is logged in, it returns false. The CI doesent holds the session anymore.



I also noted that when both are into the same domain the session folder only contains only one file, which means that CI recognizes the session.



When I set it onto different domains, the session folder creates a new file for each XHR Request. That means that CI is not holding session anymore.



Why this is happening? What Should I do to make front and backend to work properly with Ion Auth?



Here are my CI configuration:



$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = BASEPATH . 'var/session/';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;

$config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();


I also set :



header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");


And this is how I'm making the XHR requests.



$http(
url: $rootScope.API_URL + "/user/check",
method: "POST",
headers: "Content-Type": undefined ,
data: /*...*/
).then( /*...*/ )









share|improve this question






















  • both frontend and backend use CI as the server-side php framework? "the session folder creates a new file for each XHR Request." - for every single request a new session file is created? either way, CI uses cookies to identify sessions, your domain is probably of issue here. as long as the session files are stored on the same server you should be able to get it to work after some trial and error. might be of use: stackoverflow.com/questions/22748422/…

    – Alex
    Nov 14 '18 at 2:11











  • both frontend and backend use CI as the server-side php framework? Only Backend. Front is pure HTML + JS. For every single request a new session file is created? YES every one

    – Daniel Santos
    Nov 14 '18 at 10:39











  • have you looked at the link?

    – Alex
    Nov 14 '18 at 23:40












  • it dont solve my priblem @Alex

    – Daniel Santos
    Nov 16 '18 at 0:06















1















I'm working on a modernization of and old CodeIgniter Application. By separateing the application in front and back ends.



The new Front end is an angular SPA application. The backend still uses a of CI application. The CI uses Ion_Auth to authorize users.



Everything works fine if both are into the same domain, for instance localhost



The problem is that each part must be on different url domains, ie.:



  • Frontend - localhost:8081, in the future will be example.com

  • Backend - localhost:8082, in the future will be api.example.com

This way Ion Auth is able to log-in users, but when I query if user is logged in, it returns false. The CI doesent holds the session anymore.



I also noted that when both are into the same domain the session folder only contains only one file, which means that CI recognizes the session.



When I set it onto different domains, the session folder creates a new file for each XHR Request. That means that CI is not holding session anymore.



Why this is happening? What Should I do to make front and backend to work properly with Ion Auth?



Here are my CI configuration:



$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = BASEPATH . 'var/session/';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;

$config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();


I also set :



header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");


And this is how I'm making the XHR requests.



$http(
url: $rootScope.API_URL + "/user/check",
method: "POST",
headers: "Content-Type": undefined ,
data: /*...*/
).then( /*...*/ )









share|improve this question






















  • both frontend and backend use CI as the server-side php framework? "the session folder creates a new file for each XHR Request." - for every single request a new session file is created? either way, CI uses cookies to identify sessions, your domain is probably of issue here. as long as the session files are stored on the same server you should be able to get it to work after some trial and error. might be of use: stackoverflow.com/questions/22748422/…

    – Alex
    Nov 14 '18 at 2:11











  • both frontend and backend use CI as the server-side php framework? Only Backend. Front is pure HTML + JS. For every single request a new session file is created? YES every one

    – Daniel Santos
    Nov 14 '18 at 10:39











  • have you looked at the link?

    – Alex
    Nov 14 '18 at 23:40












  • it dont solve my priblem @Alex

    – Daniel Santos
    Nov 16 '18 at 0:06













1












1








1








I'm working on a modernization of and old CodeIgniter Application. By separateing the application in front and back ends.



The new Front end is an angular SPA application. The backend still uses a of CI application. The CI uses Ion_Auth to authorize users.



Everything works fine if both are into the same domain, for instance localhost



The problem is that each part must be on different url domains, ie.:



  • Frontend - localhost:8081, in the future will be example.com

  • Backend - localhost:8082, in the future will be api.example.com

This way Ion Auth is able to log-in users, but when I query if user is logged in, it returns false. The CI doesent holds the session anymore.



I also noted that when both are into the same domain the session folder only contains only one file, which means that CI recognizes the session.



When I set it onto different domains, the session folder creates a new file for each XHR Request. That means that CI is not holding session anymore.



Why this is happening? What Should I do to make front and backend to work properly with Ion Auth?



Here are my CI configuration:



$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = BASEPATH . 'var/session/';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;

$config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();


I also set :



header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");


And this is how I'm making the XHR requests.



$http(
url: $rootScope.API_URL + "/user/check",
method: "POST",
headers: "Content-Type": undefined ,
data: /*...*/
).then( /*...*/ )









share|improve this question














I'm working on a modernization of and old CodeIgniter Application. By separateing the application in front and back ends.



The new Front end is an angular SPA application. The backend still uses a of CI application. The CI uses Ion_Auth to authorize users.



Everything works fine if both are into the same domain, for instance localhost



The problem is that each part must be on different url domains, ie.:



  • Frontend - localhost:8081, in the future will be example.com

  • Backend - localhost:8082, in the future will be api.example.com

This way Ion Auth is able to log-in users, but when I query if user is logged in, it returns false. The CI doesent holds the session anymore.



I also noted that when both are into the same domain the session folder only contains only one file, which means that CI recognizes the session.



When I set it onto different domains, the session folder creates a new file for each XHR Request. That means that CI is not holding session anymore.



Why this is happening? What Should I do to make front and backend to work properly with Ion Auth?



Here are my CI configuration:



$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = BASEPATH . 'var/session/';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;

$config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();


I also set :



header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");


And this is how I'm making the XHR requests.



$http(
url: $rootScope.API_URL + "/user/check",
method: "POST",
headers: "Content-Type": undefined ,
data: /*...*/
).then( /*...*/ )






codeigniter session cookies session-cookies ion-auth






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 14 '18 at 1:44









Daniel SantosDaniel Santos

2,27322459




2,27322459












  • both frontend and backend use CI as the server-side php framework? "the session folder creates a new file for each XHR Request." - for every single request a new session file is created? either way, CI uses cookies to identify sessions, your domain is probably of issue here. as long as the session files are stored on the same server you should be able to get it to work after some trial and error. might be of use: stackoverflow.com/questions/22748422/…

    – Alex
    Nov 14 '18 at 2:11











  • both frontend and backend use CI as the server-side php framework? Only Backend. Front is pure HTML + JS. For every single request a new session file is created? YES every one

    – Daniel Santos
    Nov 14 '18 at 10:39











  • have you looked at the link?

    – Alex
    Nov 14 '18 at 23:40












  • it dont solve my priblem @Alex

    – Daniel Santos
    Nov 16 '18 at 0:06

















  • both frontend and backend use CI as the server-side php framework? "the session folder creates a new file for each XHR Request." - for every single request a new session file is created? either way, CI uses cookies to identify sessions, your domain is probably of issue here. as long as the session files are stored on the same server you should be able to get it to work after some trial and error. might be of use: stackoverflow.com/questions/22748422/…

    – Alex
    Nov 14 '18 at 2:11











  • both frontend and backend use CI as the server-side php framework? Only Backend. Front is pure HTML + JS. For every single request a new session file is created? YES every one

    – Daniel Santos
    Nov 14 '18 at 10:39











  • have you looked at the link?

    – Alex
    Nov 14 '18 at 23:40












  • it dont solve my priblem @Alex

    – Daniel Santos
    Nov 16 '18 at 0:06
















both frontend and backend use CI as the server-side php framework? "the session folder creates a new file for each XHR Request." - for every single request a new session file is created? either way, CI uses cookies to identify sessions, your domain is probably of issue here. as long as the session files are stored on the same server you should be able to get it to work after some trial and error. might be of use: stackoverflow.com/questions/22748422/…

– Alex
Nov 14 '18 at 2:11





both frontend and backend use CI as the server-side php framework? "the session folder creates a new file for each XHR Request." - for every single request a new session file is created? either way, CI uses cookies to identify sessions, your domain is probably of issue here. as long as the session files are stored on the same server you should be able to get it to work after some trial and error. might be of use: stackoverflow.com/questions/22748422/…

– Alex
Nov 14 '18 at 2:11













both frontend and backend use CI as the server-side php framework? Only Backend. Front is pure HTML + JS. For every single request a new session file is created? YES every one

– Daniel Santos
Nov 14 '18 at 10:39





both frontend and backend use CI as the server-side php framework? Only Backend. Front is pure HTML + JS. For every single request a new session file is created? YES every one

– Daniel Santos
Nov 14 '18 at 10:39













have you looked at the link?

– Alex
Nov 14 '18 at 23:40






have you looked at the link?

– Alex
Nov 14 '18 at 23:40














it dont solve my priblem @Alex

– Daniel Santos
Nov 16 '18 at 0:06





it dont solve my priblem @Alex

– Daniel Santos
Nov 16 '18 at 0:06












1 Answer
1






active

oldest

votes


















0














I Just found at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#section_5




The most interesting capability exposed by both XMLHttpRequest or Fetch and CORS is the ability to make "credentialed" requests that are aware of HTTP cookies and HTTP Authentication information. By default, in cross-site XMLHttpRequest" or Fetch invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest" object or the Request constructor when it is invoked.




(Special Highlight to the NOT keyword in the sentence).



I other words. It will no work anyway. A special flag must be present in the XHR request. When using AngularJS $hhtp object I must use withCredentials: true



$http(
url: ...
withCredentials: true
)


Also need to set both headers in API responses:



Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost


Unfortunately I was not able to use* as Access-Control-Allow-Origin, instead I must use the correct domains.




'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.




This way I was able to make Cross origin XHR Requests with cookies preserving sessions.






share|improve this answer






















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53292003%2fhow-to-configure-codeigniter-and-ion-auth-with-front-and-back-ends-into-differen%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I Just found at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#section_5




    The most interesting capability exposed by both XMLHttpRequest or Fetch and CORS is the ability to make "credentialed" requests that are aware of HTTP cookies and HTTP Authentication information. By default, in cross-site XMLHttpRequest" or Fetch invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest" object or the Request constructor when it is invoked.




    (Special Highlight to the NOT keyword in the sentence).



    I other words. It will no work anyway. A special flag must be present in the XHR request. When using AngularJS $hhtp object I must use withCredentials: true



    $http(
    url: ...
    withCredentials: true
    )


    Also need to set both headers in API responses:



    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Origin: http://localhost


    Unfortunately I was not able to use* as Access-Control-Allow-Origin, instead I must use the correct domains.




    'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.




    This way I was able to make Cross origin XHR Requests with cookies preserving sessions.






    share|improve this answer



























      0














      I Just found at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#section_5




      The most interesting capability exposed by both XMLHttpRequest or Fetch and CORS is the ability to make "credentialed" requests that are aware of HTTP cookies and HTTP Authentication information. By default, in cross-site XMLHttpRequest" or Fetch invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest" object or the Request constructor when it is invoked.




      (Special Highlight to the NOT keyword in the sentence).



      I other words. It will no work anyway. A special flag must be present in the XHR request. When using AngularJS $hhtp object I must use withCredentials: true



      $http(
      url: ...
      withCredentials: true
      )


      Also need to set both headers in API responses:



      Access-Control-Allow-Credentials: true
      Access-Control-Allow-Origin: http://localhost


      Unfortunately I was not able to use* as Access-Control-Allow-Origin, instead I must use the correct domains.




      'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.




      This way I was able to make Cross origin XHR Requests with cookies preserving sessions.






      share|improve this answer

























        0












        0








        0







        I Just found at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#section_5




        The most interesting capability exposed by both XMLHttpRequest or Fetch and CORS is the ability to make "credentialed" requests that are aware of HTTP cookies and HTTP Authentication information. By default, in cross-site XMLHttpRequest" or Fetch invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest" object or the Request constructor when it is invoked.




        (Special Highlight to the NOT keyword in the sentence).



        I other words. It will no work anyway. A special flag must be present in the XHR request. When using AngularJS $hhtp object I must use withCredentials: true



        $http(
        url: ...
        withCredentials: true
        )


        Also need to set both headers in API responses:



        Access-Control-Allow-Credentials: true
        Access-Control-Allow-Origin: http://localhost


        Unfortunately I was not able to use* as Access-Control-Allow-Origin, instead I must use the correct domains.




        'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.




        This way I was able to make Cross origin XHR Requests with cookies preserving sessions.






        share|improve this answer













        I Just found at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#section_5




        The most interesting capability exposed by both XMLHttpRequest or Fetch and CORS is the ability to make "credentialed" requests that are aware of HTTP cookies and HTTP Authentication information. By default, in cross-site XMLHttpRequest" or Fetch invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest" object or the Request constructor when it is invoked.




        (Special Highlight to the NOT keyword in the sentence).



        I other words. It will no work anyway. A special flag must be present in the XHR request. When using AngularJS $hhtp object I must use withCredentials: true



        $http(
        url: ...
        withCredentials: true
        )


        Also need to set both headers in API responses:



        Access-Control-Allow-Credentials: true
        Access-Control-Allow-Origin: http://localhost


        Unfortunately I was not able to use* as Access-Control-Allow-Origin, instead I must use the correct domains.




        'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.




        This way I was able to make Cross origin XHR Requests with cookies preserving sessions.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 16 '18 at 1:15









        Daniel SantosDaniel Santos

        2,27322459




        2,27322459



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53292003%2fhow-to-configure-codeigniter-and-ion-auth-with-front-and-back-ends-into-differen%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            這個網誌中的熱門文章

            How to read a connectionString WITH PROVIDER in .NET Core?

            Node.js Script on GitHub Pages or Amazon S3

            Museum of Modern and Contemporary Art of Trento and Rovereto