11

I am creating an application based on Rails and AngularJS. I would like to implement an authentication system by using gem Devise. I am wondering how to do it. I read some articles about attribute :token_authenticatable : I will have to put my token at the end of all requests I will send.

I have also read this demo project https://github.com/sectore/CafeTownsend-Angular-Rails They have implemented a SessionService which can create and delete server session. (I suppose, I can use Devise for this job). In rails controler, they get session[:user_id] to know if user is authenticated or not...

My question : Do I need a token system or a cookies system to authenticated my requests ?

Thanks

Improve this question
6
  • Is this question about AngularJS or Devise? I've done both token- and cookie-based auth with AngularJS and it looks like Devise supports both (via Token Authenticatable and Rememberable). Commented May 15, 2013 at 20:46
  • My question is about how to design a good authentication system when I use angularjs with rails as API. If both solutions are supported, I don't know. Maybe the cookie-based one is easier to implemented Commented May 15, 2013 at 22:31
  • 2
    Cookies are easier because the browser sends them automatically with each request. If you plan on supporting non-browser clients, you should go with token passed in HTTP headers - check out $http.defaults.headers.common to inject your token header for all $http requests. Commented May 16, 2013 at 13:18
  • 1
    To give a feedback: I have finally chosen token system because session_id was not sent for POST request. Token system is a bit more tricky to implement but now I know exactly what happen. Commented May 30, 2013 at 14:20
  • 1
    take a look at this railscasts railscasts.com/episodes/352-securing-an-api it may help you Commented Jun 24, 2013 at 14:24

1 Answer 1

Reset to default
6

If your server will be on the same domain as your client, ie: will only be expecting request from your angular client, and the client is hosted on the same URL as the server, then you should use cookies over ssl (for simplicity), EG:

Your site:

www.myangularsite.com/somepage

Your Server

www.myangularsite.com/someserverfunction

They both have the same domain.

However, if you plan on having your server side on a different URL, maybe as an API, then go with tokens, EG:

Your site:

www.myangularsite.com/somepage

Your Server

api.myangularsite.com/someserverfunction
or
myrubyapi.com/someserverfunction

The URL domain is different.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.