I’ve built a RESTful service that serves XML + JSON to Android clients and a browser client. Currently, my REST service uses cookie based authentication. Everything works together within Same Origin Policy since the browser client pages are served from the same web server that serves the REST service.
I’d like to separate my browser app and serve its pages from a different web server than the REST services. I can use Cross Origin Resource Sharing to continue making XmlHttpRequest calls from the browser to the REST services but I can’t figure out authentication.
- I send an XmlHttpRequest off to the authentication service
- The REST server sets a cookie in the response
- When the browser receives the successful request, it moves the app to the next page
- The next page does not maintain the cookie set on the log on page so all XmlHttpRequest calls to the REST service fail with 401
What’s the best way to tackle this? If cookie authentication is a no go, what should I use for this situation?
My suggestion would be to run an Apache or similar web server in front of both servers and use the proxy module. That way all the calls are to the same host so the cookies keep. This has worked for me in a number of projects including ones with cookie based authentication.