JavaScript-Mobile client rights verification cookie cross-domain issue

Recently tried to do Hybird app, encountered the first thing is the cross-domain session lost problem, do not know the mobile phone client is now popular how to do the login state to save? Is there any Daniel willing to talk about it?

The way I come up with this problem is that PHP verifies that the session ID that is set by the post session is present in the cookie, and I print the value directly after validation by using session_id () (the function will return the set SessionID). The client can then directly fetch ...
But then there was a problem, and I used

document.cookie = 'PHPSESSID='+返回的sessionid

This sets the scope of the cookie to be the current path under the current domain name
You can see it in chrome after you set it up, and then make a request for the page, and find that there are no cookies ....

At this point, I think it is because domain settings do not want to bring a cookie and then, I add domain path in the back will not set the success

document.cookie = 'PHPSESSID='+返回的sessionid +‘；domain=a.com；path=’test/

After doing this, refresh the page and find that the cookie cannot be set (it may be chrome for security reasons).

I'm sure the server side is set up, that is, here with Ajax can not set cookies, and then check the Web, said Ajax could set the cookie itself I did it.

            $http({                headers:{                cookie:'PHPSESSID=192fac5eb0b9970dfedbb20773013e91'            },                xhrFields: {                    withCredentials: true                },                crossDomain:true,                method:'get',                url:server.domain +server.api + '/resumelogin'            }).success(function(d){                console.log(d);            })

Chrome console print refused to set unsafe header "Cookie"
This question looked down, StackOverflow has the answer but also vague

================================
Now there is no idea, I do not know that my idea is not wrong? Should I change my mind to do this? How to save the status of login user?

Reply content:

Recently tried to do Hybird app, encountered the first thing is the cross-domain session lost problem, do not know the mobile phone client is now popular how to do the login state to save? Is there any Daniel willing to talk about it?

The way I come up with this problem is that PHP verifies that the session ID that is set by the post session is present in the cookie, and I print the value directly after validation by using session_id () (the function will return the set SessionID). The client can then directly fetch ...
But then there was a problem, and I used

document.cookie = 'PHPSESSID='+返回的sessionid

This sets the scope of the cookie to be the current path under the current domain name
You can see it in chrome after you set it up, and then make a request for the page, and find that there are no cookies ....

At this point, I think it is because domain settings do not want to bring a cookie and then, I add domain path in the back will not set the success

document.cookie = 'PHPSESSID='+返回的sessionid +‘；domain=a.com；path=’test/

After doing this, refresh the page and find that the cookie cannot be set (it may be chrome for security reasons).

I'm sure the server side is set up, that is, here with Ajax can not set cookies, and then check the Web, said Ajax could set the cookie itself I did it.

            $http({                headers:{                cookie:'PHPSESSID=192fac5eb0b9970dfedbb20773013e91'            },                xhrFields: {                    withCredentials: true                },                crossDomain:true,                method:'get',                url:server.domain +server.api + '/resumelogin'            }).success(function(d){                console.log(d);            })

Chrome console print refused to set unsafe header "Cookie"
This question looked down, StackOverflow has the answer but also vague

================================
Now there is no idea, I do not know that my idea is not wrong? Should I change my mind to do this? How to save the status of login user?

Do not use cookies for mobile phone auth, now generally used OAuth2, that is, token authentication.
Simply put, the process is
1. Client login information (such as mailbox, password) to the server
2. After confirming that the information is correct, generate access token, the more common is JWT (JSON Web token), give an expiration time, and then pass it to the user
3. The client saves this access token and puts the token into the header every time a request is made.

Why is it safe to use this kind of access token, what are the benefits of JWT, many online articles, a https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security/

