New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #43147: LTI 1.3 Cosumer authentication fails with provider on different domain #8756

Open

fneumann wants to merge 2 commits into ILIAS-eLearning:release_8 from fneumann:fix8-lti-auth

Contributor

fneumann commented Dec 19, 2024

https://mantis.ilias.de/view.php?id=43147

Set an addititional PHPSESSID cookie for LTI 1.3 authentication

The standard cookie does not work with LTI tools on different domains because it has samesite = Lax
The additional cookie sets samesite to None so that it is sent with the POST request from the LTI tool
Limit the additional cookie to the path of the ltiauth.php script
Force secure to require HTTPS (needed for samesite = None)

See https://web.dev/articles/samesite-cookie-recipes?hl=en#unsafe-requests


          Set PHPSESSID cookie for LTI 1.3 authentication

fneumann added bugfix php labels

fneumann assigned Saaweel


          Use session_name() instead of PHPSESSID

fb4cf70

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels