[eluser]syrys[/eluser]
Im trying to setup a project with a standalone frontend using angularjs (so static html + js + css files), that communicates with a codeigniter backend using ajax for all its data and authentication. Note, both the frontend and backend is hosted in the same domain (so no real cross origin issues yet).
Frontend Hosted: mydomain.com
Backend/API: mydomain.com/api/latest/
Since it exists (not that it matters), im using the following project to make the REST json responses easier
Code:
https://github.com/chriskacerguis/codeigniter-restserver
Anyway, the main problem im facing is, im unsure what the best method to do authentication (and storing/remembering it). I mean, for traditional codeignighter based websites, you can simply login and store the logged_in status and user ID in the session and pass the client a session ID cookie (this is done automatically by CI). But how would you approach this when frontend only communicates with the backend with ajax? Im currently doing the same as the traditional way, and im facing an annoying problem:
Sometimes when 2 ajax requests happens almost simultaniously (close enough), say a double getCurrentLoggedInUser(), i get the first responded with the correct user, but the 2nd responded with null. Any by the end of the 2nd, you are pretty much logged out since the session id you have is not correct.
Im assuming: this happens when the first request fires and triggers a session update (Thanks to "$config['sess_time_to_update']"), and fires correctly (and changes session id correctly), but the 2nd response goes in with the old session ID and returns null since that does not exist and changes the session id to something else. So now we have a complete new session ID and you are sadly logged out.
I found few solutions, setting sess_time_to_update to something huge or even overriding the session update method to ignore ajax. But this is Bad (?). Since every request is infact Ajax, you do want the session to be updated, and to have the session id to change often (session hijacking).
Im sure some of you have been here before and solved this problem many times. What are/were your approaches to this? What is the best way?
Store the session or logged in status some other way (similar to session that you can manipulate)?
Disable Session update on ajax requests and then write some sort of a ajax ping which will call a force session update?
Are there other solutions im not thinking or unaware of?
Now, if i were to convert this Angular Standalone Website to an App (using phonegap or similar) running on webview, how would i go about managing the authentication session then? Same? Or should i be doing something special?
Any input is appreciated. Any code examples or snippets that may solve the problem is also appreciated greatly.
For those of you who are unaware of Angular Standalone Websites, For the sake of the above case, think of it as a static html frontend (absolutely no link to the php backend). and this static html standalone site only communicates to backend via Ajax (post/get using jquery or what ever you are familiar with).
