Why doesn't the login session "stick" when login in using "ionic serve" window but works when I point the browser to the www folder?

you were taking about REST api and cookies and sessions. Cookies and sessions don't go with REST philosophy. Here is why.

Let me tell you how we accomplish this problem in our project. Basic way of knowing which user is requesting and if it has the access rights is by the 'Authorization' header value. You can use Basic Authentication, Barer or any other.

We generally prefer token based authorisation system. When a login is successful, server sends a token. In ionic app, we save it using a factory called SessionService. So whenever user logs in, token is stored and is used for every request. But token would be lost if user closes the app. So we can store it in local storage. User can then be directly redirected to dashboard until user logs out.

app.factory("SessionService", function($window){    var user={};    if ($window.localStorage['user']!=undefined){        user=JSON.parse($window.localStorage['user']);        console.log(user);    }    return{        isLoggedIn:function(){            return !isEmpty(user);        },        logout:function(){            console.log("logout")            user={};            $window.localStorage.clear();        },        setUser:function(data){            user=data;            $window.localStorage['user']= JSON.stringify(user);        },         getUser:function(){            return user;        }    }})

Now in every web request, you can call SessionService.getUser().token when setting value Authorization header.

UPDATE:

Despite using cookies is not recommended, you can use it in your application easily.

If you are sending request with CORS, angular doesn't sends cookies with request. One of the way address this issue is to send withCredentials: true with every request:

$http({withCredentials: true, ...}).get(...)

Read further about this here.

Hope this helps!