Note

The cookie-based authentication flow may vary depending on the server framework, but the general pattern of setting a cookie and attaching a cookie with every subsequent request, remains the same.

In a cookie-based application authentication, if the application wants to get the user context, a server endpoint (such as /user/details ) is exposed that returns the logged in user-specific data. The client application can then implement a service such as UserService that loads and caches the user profile data.

The scenario described here assumes that the API server (the server that returns data) and the site where the application is hosted are in a single domain. That may not be the case always. Even for Personal Trainer, the data resides on the MongoLab servers and the application resides on a different server (even if it is local). And we already know that this is a cross-domain access and it comes with its own set of challenges.

In such a setup, even if the API server is able to authenticate the request and send a cookie back to the client, the client application still does not send the authentication cookie on a subsequent request.