ruby on rails - Devise AJAX - POST request : current_user is null -

i try develop single page application authentication. use devise (rails) , angularjs. different reasons rails application , angularjs application not on same server. so, have handle cross domain issues... , can't send x-csrf-token in header. can correctly sign in , sign out , send request without problem. in rails controllers, can use current_user, it's correctly set. however, when send post request, current_user null. seems session_id not sent. problem due cross domain, because if send ajax request same server, ok.

i think, have 2 solutions : - don't use authentication cookie-based, use token - put front-end , back-end on same server.

other ideas ? why current_user null when send post request cross domain ?

you send csrf token in headers it's bad practice exposes security holes (issue thread on github explaining why)

safest way go disable csrf together:

class applicationcontroller < actioncontroller::base   # or use api::basecontroller < applicationcontroller if namespacing   # prevent csrf attacks raising exception.   # apis, may want use :null_session instead.   protect_from_forgery with: :null_session end 

and use token based authentication can either implement yourself or use devise's :token_authenticatable. have configure angularjs send token either in params or headers. here's snippet use having rails figure out if token in headers or params.

class api::basecontroller < applicationcontroller   prepend_before_filter :get_auth_token     private   def get_auth_token     if auth_token = params[:auth_token].blank? && request.headers["x-auth-token"]       params[:auth_token] = auth_token     end   end end 

so in end how works is:

1. client uses login method defined authenticate
2. obtains authentication token server
3. uses token in each subsequent request purpose of authorization