ember.jssession-cookiesember-simple-auth

ember cookie vs server cookie


I am using Ember and Ember-simple-auth. This question is to clear my confusion related to cookies etc.

I have configured ember storage to Cookie.

My server is sending a cookie to be saved at client side. i.e

Set-Cookie: dejavu.session=WwwLQjdfOoNz_-bhyYpBLvzew7IUaJuu; Path=/; Expires=Mon, 28-May-2018 15:59:30 GMT

I have understanding that

  1. browser automatically captures the cookie from set-cookie in header (mean it should be visible in dev tool)

  2. browser automatically add this cookie in subsequent requests.

  3. I don't need to do anything extra with Ember Simple Auth as server cookie is by default handled by browser.

Based on this understanding, in Chrome inspector I just see one cookie of ember-simple-auth and nothing else.

My questions are:

1- Should I see a separate cookie (the one sent from server) in dev tool along with Ember cookie (set by Ember simple Auth)? or my server cookie has to be embedded in Ember Cookie? I actually don't see server cookie on my dev tools so I am confused.

2- Is this right concept that ember cookie is storage for Ember but server cookie is the one that browser will capture and send in header in subsequent requests?


Solution

  • ok. I found the solution after spending alot of testing and exploration. Answer to my both questions is:

    There is a bug in chrome dev tools that doesn't show the cookie sent from server. We don't need to embed server cookie in ember cookie. Browser manages cookies itself. Only server has to send a cookie and then browser will manage it e.g discard it if it expires and then automatically add it to header of each subsequent requests to be sent via api. We can see the cookie as request is sent, in our dev tools 'Network' tab under request headers.

    With session cookie and Ember-simple-auth we don't need to set authoriser in header (for adding cookie in header) as this will override the session cookie (that was set by browser).

    So when using Ember-simple-auth and session authentication, correct flow is:

    1. add addon

    2. setup authenticator (follow github docs)

    3. don't set authorizer (as told in docs)