B4J Question AJAX/CORS Cookie Replacement

[Squiffy]

Bit of a general one this, and not entirely confined to B4J - but I am creating a purely JS based front end that will be communicating with a B4J server back end.

How do people keep session data? CORS rules stop cookies being sent by the browser (different ports for JS/web server and B4J server violate cross domain JS rules), so I need to find a way to make sessions persistent.

People need to log in and the server needs to ensure it only gives pertinent data back. Short of building my own cookie/token custom system (which is bound not to be as good as any mature, built in browser based system), what are the choices? Has anyone else solved this?

 

[Erel]

You can generate a random id and send it as a GET parameter in all requests. In the server side store the session information in a global (concurrent) map with the id as the key.

From time to time you will need to go over the map and remove old items.

 

[Squiffy]

Hi Erel - yeah, that's what I'm doing.
Google throws up a gazillion articles & discussions on this subject (cross network/origin forgery) and you can go snow blind reading all the differing opinions on SO - I suppose I'm really asking has anyone here found a neat way they would recommend to verify the token being sent is actually coming from the legitimate user. Does anyone have a proven best way of "fingerprinting" the user as well as anyone can within B4J?

I could reject if the IP changes (though there are many legit reasons why this might happen to the legitimate user).
I could store header data with the UUID and check each request, but headers can be forged.

Is it even worth trying, given that the browser must be considered hostile? Everything will be SSL of course, reducing the MiM risk, but should I even worry about another browser mimicking the legit user? If the scammer is able to get the token directly from the machine and mimmick its headers, surely all is lost anyway?

Note this is all from the context that I am using B4J as an API server on its own hardware. It will only return data, not web pages.

Big question