We use CORS, which unfortunately is more of a headache than it's worth and lacks IE <10 support. Our backend proxies and handles session management via a secure, hashed cookie helper library which maintains expirys among other things. We take advantage of shared cookies on a global cookie domain . There's some ugly handling for IE10 regarding CORS and how it handles cookies which I won't get into. Authentication state is managed via the session, which we actually query our backend for on page requests. It's a bit of overhead to have to always be querying for the user/auth object to check login status, but it's easily cacheable (and bustable).