Sails not setting cookie on CORS login

[mihaa1]

Node version: 10.15.0 Sails version (sails):1.1.0 ORM hook version (sails-hook-orm):2.1.1 Sockets hook version (sails-hook-sockets): 1.5.5 Organics hook version (sails-hook-organics): 0.15.0 Grunt hook version (sails-hook-grunt): 3.1.0 Uploads hook version (sails-hook-uploads):? DB adapter & version : sails-postgresql@1.0.2 Skipper adapter & version : skipper-disk@0.5.6

---

I have an angular SPA with a Sails backend. The angular app is served from a separate port than the sails app (sails is runnnig on 1337 and angular on 4200). I am trying to do a login request, and save the session cookie. This works if I host the client app on the same port, but if I make the request from 4200 the cookie isn't registered automatically.

Tried enabling CORS, with credentials. Also tried to "allowResponseHeaders" - and set the cookie manually but with no luck.

What am I missing? Is this something on the client side? Do i need to enable something else in the sails configuration?

[sailsbot]

@mihaa1 Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

• look for a workaround. (Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)
• tell us why this issue is important to you and your team. What are you trying to accomplish? (Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)
• make sure you've provided clear instructions on how to reproduce the bug from a clean install.
• double-check that you've provided all of the requested version and dependency information. (Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)
• read the code of conduct.
• if appropriate, ask your business to sponsor your issue. (Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)
• let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. (Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)

  ---

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

[raqem]

Hi @mihaa1 I was looking into your issue but I need a little more info. Can you please provide your config/security.js to see how your CORS is set up? Here is the official docs on CORS if that is helpful.

[mihaa1]

@raqem thanks for the response.

Here is my security.js file: cors: { allRoutes: true, allowOrigins: ['http://localhost:4200'], allowCredentials: true, }, csrf: true

[crh3675]

Hmm, different port with cookie? Typically an SSL cookie (443) cannot be read by a port 80 request as the 443 is designated as secure. As per the RFC https://tools.ietf.org/html/rfc6265, the behavior you "want" to occur is considered insecure and I consider the Sails framework to be secure with its implementation. Meaning, you are breaking the "8.5" confidentiality clause of the RFC. I consider this to be an as-expected behavior - not a bug.

[mihaa1]

@crh3675 so what I understand from you - is there is no way using the built in auth functionality in sails to authenticate a client which is hosted on another domain?

What do you suggest I do in this situation? Move to JWT perhaps?

[crh3675]

What I typically do is use an