I have set up an account area on a site using Umbraco membership service and an API call that returns JSON on user 's name, etc when the user is logged in.
I need to call this URL from a subdomain application (no CMS) built in Angular JS so we can show if the user is logged in or not. How can I get it to know from a client side JS API call that the user is logged in on the other domain?
Does anyone have any advice on how they have implemented this kind of thing before?
The only thing I'd add is that you shouldn't enable CORS for all domains, i.e., *.
Make sure to enable it only for the domain where your angular app is hosted.
You can also configure CORS in the web.config like this:
I already have some APIs available from the CMS app to Angular app and they work fine so I don't think it's a cross domain thing.
The Umbraco site with webapi endpoints is on www.domain.com and the angular app calling these is on subdomain.domain.com.
Now I have added a membership area to www domain and calling an API that checks if the user is logged it it always returns false when calling "MemberIsLoggedOn()". So the call is getting in to the endpoint but the user isn't being seen as logged in.
When I am logged in and hit the API endpoint in my browser MemberIsLoggedOn() returns true and the JSON response I need. When I call the endpoint client side in same browser from my Angular app it returns false.
Sorry, I really should read the question properly :D
I think the issue is likely to be cookie related. Umbraco sets an auth cookie to store authentication, but it probably wouldn't be visible from another domain (or sub domain).
It might be worth trying to change the cookie path in web.config forms element.
Other than that, the only thing I can think of would be to implement some kind of custom member state on the Umbraco side, and then check that instead of IsMemberLoggedOn().
The "User" and "User.Identity" properties of the httpContext are indeed based on an authentication cookie.
If the cookie path change does not work and you end up building a custom member state, be careful to protect the access to that information one way or another, in order to not enable third parties to query the system and see who is online or not ;-)
Thanks for your help on this. On the www domain I had to set the cookie domain to .domain.com. Then in the angular app I had to set:
$httpProvider.defaults.withCredentials = true;
It then sent the cookies over in the request so it was able to see I was logged in. I had to use JSONP so it was able to wrap the response in callback getting around the cross-domain issues.
Calling Member service API from a sub domain
Hello,
I have set up an account area on a site using Umbraco membership service and an API call that returns JSON on user 's name, etc when the user is logged in.
I need to call this URL from a subdomain application (no CMS) built in Angular JS so we can show if the user is logged in or not. How can I get it to know from a client side JS API call that the user is logged in on the other domain?
Does anyone have any advice on how they have implemented this kind of thing before?
Thanks,
Carole
Hi Carole,
I would create an UmbracoApiController with an endpoint you can call from your subdomain application.
You'll probably need to add a header to your WebApi response to avoid the cross origin request (CORS) issue.
Maybe also some kind of authentication to keep it secure too.
That's a good solution, Dan.
The only thing I'd add is that you shouldn't enable CORS for all domains, i.e., *. Make sure to enable it only for the domain where your angular app is hosted.
You can also configure CORS in the web.config like this:
Cheers!
Hi Dan,
I already have some APIs available from the CMS app to Angular app and they work fine so I don't think it's a cross domain thing.
The Umbraco site with webapi endpoints is on www.domain.com and the angular app calling these is on subdomain.domain.com.
Now I have added a membership area to www domain and calling an API that checks if the user is logged it it always returns false when calling "MemberIsLoggedOn()". So the call is getting in to the endpoint but the user isn't being seen as logged in.
When I am logged in and hit the API endpoint in my browser MemberIsLoggedOn() returns true and the JSON response I need. When I call the endpoint client side in same browser from my Angular app it returns false.
I hope this makes sense.
Thanks,
Carole
I believe what you need to know is change your auth cookie configuration.
If you inspect the cookie, the domain option should be something like: www.domain.com
What you need to do, is configure the domain to be .domain.com so the cookie can be read cross domain.
To configure this in the membership provider, you can do something like this in your web.config:
Cheers!
Sorry, I really should read the question properly :D
I think the issue is likely to be cookie related. Umbraco sets an auth cookie to store authentication, but it probably wouldn't be visible from another domain (or sub domain).
It might be worth trying to change the cookie path in web.config forms element.
Other than that, the only thing I can think of would be to implement some kind of custom member state on the Umbraco side, and then check that instead of IsMemberLoggedOn().
Ok, I'll have a look at those options and post back here if I find a solution.
Thanks for your advice, I appreciate it :)
Thanks,
Carole
Hi Carole,
Dan pointed the issue. I was looking at the code for this method, this is what is behind the scenes:
The "User" and "User.Identity" properties of the httpContext are indeed based on an authentication cookie.
If the cookie path change does not work and you end up building a custom member state, be careful to protect the access to that information one way or another, in order to not enable third parties to query the system and see who is online or not ;-)
Cheers,
Michaƫl.
Hi Everyone,
Thanks for your help on this. On the www domain I had to set the cookie domain to .domain.com. Then in the angular app I had to set:
$httpProvider.defaults.withCredentials = true;
It then sent the cookies over in the request so it was able to see I was logged in. I had to use JSONP so it was able to wrap the response in callback getting around the cross-domain issues.
Thanks,
Carole
Glad you got it working !!
is working on a reply...