I'm using node/express to make a pure backend api. My front-end (angular.js) is hosted on a separate server. I have a few lines of middleware for every request to allow CORS.
If I start chrome with -args --disable-web-security flags, everything works great!
However if I start it normally, cookies seem to not be getting set in the browser, and therefore sessions on the node side aren't kicking in. This is the same for safari/mobile safari/etc.
I've tried browser options such as "accept all cookies"/"never block cookies". I thought maybe browsers don't like localhost but this is the same behavior on localhost and on actual hosted domains.
The flow is:
I login and the session is set with an id, on success the frontend is directed to the next page. This works, and I console logged req.session.id and it's correct.
On the next page a request is sent, the node server is configured to use the id in the session for this request. With safari/mobile safari/chrome the req.session.id is suddenly empty. With chrome -security disabled, the req.session.id is still correct and behaves just like it should.
please refer to this answer that covers cross-domain cookies and session: Using Express and Node, how to maintain a Session across subdomains/hostheaders