Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-79712

Ensure SameSite=None on MoodleSession cookie to retain support for embedded launches

XMLWordPrintable

    • MOODLE_403_STABLE
    • MOODLE_401_STABLE, MOODLE_402_STABLE, MOODLE_403_STABLE
    • MDL-79712-401
    • MDL-79712-403
    • MDL-79712-main
    • Hide

      Prerequisites

      1. This should to be tested in the following browsers:

      • Firefox - vanilla settings (currently treats missing samesite as samesite=none)
      • Firefox with 'network.cookie.sameSite.laxByDefault' set to true (in about:config)
      • Chrome

      Please make sure you have access to these.

      2. This needs to be tested using 2 public HTTPS sites on different domains. So, please make sure you can publish your dev sites using something like ngrok, localtunnel, expose, etc. etc.

      3. You need two Moodle sites - one called 'platform' and one called 'tool':

      • In the tool site admin settings:
        • Enable enrol_lti and auth_lti plugins
        • Enable "Allow frame embedding"
      • Make both sites public, HTTPS sites using something like ngrok, localtunnel, expose, etc.
        • Each MUST have a distinct domain to ensure we hit cross-site checks, so you may need to use 2 different tools

      Course setup

      1. Login to the tool site as the admin
      2. Create a course called 'tool course'
      3. Create an assignment in the course
      4. From the course nav, select "More > Published as LTI tools"
      5. Click to publish a new resource
      6. Select the assignment in the "Tool to be published" field, leaving everything else alone
      7. Save
      8. In another tab, login to the platform site as the admin
      9. Create a course called 'platform course'

      LTI 1.3 setup

      1. Login to the tool site as the admin user
      2. Go to Admin > Plugins > Enrolment plugins > Publish as LTI tool > Tool registration
      3. Click to create a new registration
      4. Name the registration "platform site" and continue
      5. You'll see a dynamic registration URL. Click the "Copy to clipboard" icon to copy it
      6. Now, in another browser tab, login as the admin user to the platform site
      7. Go to Site admin > Development > Debugging and set debug messages to "None". If we don't do this, we'll hit MDL-80674.
      8. Go to to Admin > Plugins > Activities > External tool > Manage tools
      9. Paste the URL value into the "Tool URL" field
      10. Click "Add LTI Advantage"
      11. You should see a tool card now. Click "Activate" on it.
      12. Edit the tool (click the cog)
      13. Set:
        • "Name" to "Moodle Tool Site"
        • "Tool configuration usage" to "Show in activity chooser and as a preconfigured tool"
      14. Save the form

      Test creating a link and launching it several ways

      1. Login to the platform site
      2. Go to the course
      3. Click to create an activity or resource
      4. Select the "Moodle Tool Site" activity tile
      5. When you're taken to the edit form, click the "Select content" button
      6. In the popup, verify:
        • You see a view containing the "Use existing account" card
        • Since you're not logged in, you see a "Log in" button at the bottom
      7. Click the login button
      8. Proceed to login to the site
      9. Verify you're taken back to the previous view, but can now see "Link this account" presented as a button at the bottom. Don't login yet.
      10. Close the modal
      11. Click "Select content" again
      12. Verify you see the same view with "Link this account" listed. I.e. you're authenticated with the tool site inside the frame.
      13. Click the button to link the account, and proceed through any success notifications
      14. Verify you see a list of activities without errors
      15. Click the "Add to course" checkbox for the assignment and click "Add content"
      16. Verify the modal closes and you see the edit form, now updated with the assignment name
      17. Click "Save and return to course"
      18. Click the assignment you just created to launch the tool
      19. Verify you're taken to the assignment, inside a frame, and there are no errors on the page.
      20. Inside the iframe, from the top right user menu, click "Log out"
      21. Now, reload the page
      22. Verify you see the tool load within the iframe again, and that you are again logged in.
      23. Now, go to the site admin in the platform site
      24. Edit the "Moodle Tool Site" tool
      25. Set "Default launch container" to "New window"
      26. Go back to the course
      27. Note: This step only applies to 401 and 402 branches: Edit the activity settings for the assignment tool and change launch container to "New window" and save.
      28. Click the assignment to launch it
      29. Verify you're taken to a new tab and are signed into the tool site and can view the assignment
      30. Log out of the tool site in this new window
      31. Back in the platform tab, click the assignment again in the course
      32. Verify you're taken to a new tab and are signed into the tool site and can view the assignment
      33. Now, unlink the LTI account by running this in the tool site DB:

        DELETE FROM mdl_auth_lti_linked_login;

      Repeat the above testing process - "Test creating a link and launching it several ways" - for each of:

        • Firefox - vanilla settings
        • Firefox - with the 'network.cookie.sameSite.laxByDefault' set to true
        • Chrome
          Update the testing matrix (at the bottom of the testing instructions) as you proceed through each branch/browser combination.

      Testing matrix

      Branch Firefox Firefox w flag Chrome
      4.1      
      4.2      
      4.3      
      main      
      Show
      Prerequisites 1. This should to be tested in the following browsers: Firefox - vanilla settings (currently treats missing samesite as samesite=none) Firefox with 'network.cookie.sameSite.laxByDefault' set to true (in about:config) Chrome Please make sure you have access to these. 2. This needs to be tested using 2 public HTTPS sites on different domains. So, please make sure you can publish your dev sites using something like ngrok, localtunnel, expose, etc. etc. 3. You need two Moodle sites - one called 'platform' and one called 'tool': In the tool site admin settings: Enable enrol_lti and auth_lti plugins Enable "Allow frame embedding" Make both sites public, HTTPS sites using something like ngrok, localtunnel, expose, etc. Each MUST have a distinct domain to ensure we hit cross-site checks, so you may need to use 2 different tools Course setup Login to the tool site as the admin Create a course called 'tool course' Create an assignment in the course From the course nav, select "More > Published as LTI tools" Click to publish a new resource Select the assignment in the "Tool to be published" field, leaving everything else alone Save In another tab, login to the platform site as the admin Create a course called 'platform course' LTI 1.3 setup Login to the tool site as the admin user Go to Admin > Plugins > Enrolment plugins > Publish as LTI tool > Tool registration Click to create a new registration Name the registration "platform site" and continue You'll see a dynamic registration URL. Click the "Copy to clipboard" icon to copy it Now, in another browser tab, login as the admin user to the platform site Go to Site admin > Development > Debugging and set debug messages to "None". If we don't do this, we'll hit MDL-80674 . Go to to Admin > Plugins > Activities > External tool > Manage tools Paste the URL value into the "Tool URL" field Click "Add LTI Advantage" You should see a tool card now. Click "Activate" on it. Edit the tool (click the cog) Set: "Name" to "Moodle Tool Site" "Tool configuration usage" to "Show in activity chooser and as a preconfigured tool" Save the form Test creating a link and launching it several ways Login to the platform site Go to the course Click to create an activity or resource Select the "Moodle Tool Site" activity tile When you're taken to the edit form, click the "Select content" button In the popup, verify : You see a view containing the "Use existing account" card Since you're not logged in, you see a "Log in" button at the bottom Click the login button Proceed to login to the site Verify you're taken back to the previous view, but can now see "Link this account" presented as a button at the bottom. Don't login yet. Close the modal Click "Select content" again Verify you see the same view with "Link this account" listed. I.e. you're authenticated with the tool site inside the frame. Click the button to link the account, and proceed through any success notifications Verify you see a list of activities without errors Click the "Add to course" checkbox for the assignment and click "Add content" Verify the modal closes and you see the edit form, now updated with the assignment name Click "Save and return to course" Click the assignment you just created to launch the tool Verify you're taken to the assignment, inside a frame, and there are no errors on the page. Inside the iframe, from the top right user menu, click "Log out" Now, reload the page Verify you see the tool load within the iframe again, and that you are again logged in. Now, go to the site admin in the platform site Edit the "Moodle Tool Site" tool Set "Default launch container" to "New window" Go back to the course Note: This step only applies to 401 and 402 branches: Edit the activity settings for the assignment tool and change launch container to "New window" and save. Click the assignment to launch it Verify you're taken to a new tab and are signed into the tool site and can view the assignment Log out of the tool site in this new window Back in the platform tab, click the assignment again in the course Verify you're taken to a new tab and are signed into the tool site and can view the assignment Now, unlink the LTI account by running this in the tool site DB: DELETE FROM mdl_auth_lti_linked_login; Repeat the above testing process - "Test creating a link and launching it several ways" - for each of: Firefox - vanilla settings Firefox - with the 'network.cookie.sameSite.laxByDefault' set to true Chrome Update the testing matrix (at the bottom of the testing instructions) as you proceed through each branch/browser combination. Testing matrix Branch Firefox Firefox w flag Chrome 4.1       4.2       4.3       main      
    • 1
    • Team Hedgehog 2024 Sprint 1.2, Team Hedgehog 2024 Sprint 1.3

      SameSite In Firefox

      Clear any session cookies and then hit the login page on Firefox. You'll see the following in your console:

      Cookie “MoodleSession” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

      That links to https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

      This will likely prevent Moodle from being able to access session cookies in embedded launches, which of course it needs. See MDL-67175 where this was added for Chrome. We may need to include Firefox in that conditional now.

      Update: I can't find docs saying when "Soon" is yet, but you can set the default handling in about:config currently via network.cookie.sameSite.laxByDefault (which for me, on v118, is defaulted to false). See also: https://caniuse.com/mdn-http_headers_set-cookie_samesite_lax_default

      SameSite In Chrome

      The tool code relies on core's should_use_samesite_none() method doing the right thing. This is fragile. Ideally, the tool code would control this cookie in tool launches, and we'd have confidence that a change to the core method above wouldn't break LTI.

      This issue should therefore:

      1. Ensure SameSite=None; Secure; for MoodleSession cookies used during LTI launches - irrespective of browser, and done in the LTI tool code.

       To replicate the problem (a problem which will happen in future when Firefox changes their default policy):

      Note: This assumes working public, HTTPS setup between 2 Moodle sites, both on different domains. See testing for more information on setting up the LTI links (I'm not going to go into that level of depth in these replication steps).

      1. Open Firefox and go to about:config
      2. Set 'network.cookie.sameSite.laxByDefault' to true (the default at the time of writing this is false). This simulates lax treatment in future, which is what the warning hints at.
      3. Go to the Platform Moodle site
      4. Go to a course
      5. Click to add an activity, and select the Tool Moodle site
      6. Click "Select content"
        Expected: You're taken through the usual login flow before being asked to select resources from the Tool.
        Actual: You'll get an error during launch, something like "Invalid nonce".

      The above "Invalid nonce" error occurs because that's stored in the SESSION, which needs MoodleSession to be sent. It's not being sent because it's not got the proper SameSite=None; Secure; attributes set. The "State" OIDC param however, has been validated since the LTI cookie DOES have SameSite=None; Secure;

      Essentially, the state of affairs prior to patching this, is as follows:

      Branch Firefox Firefox w flag Chrome
      4.1 OK FAIL OK
      4.2 OK FAIL OK
      4.3 OK FAIL OK
      main OK FAIL OK

        1. MDL-79712.png
          MDL-79712.png
          338 kB

            jaked Jake Dallimore
            jaked Jake Dallimore
            Meirza Meirza
            Andrew Lyons Andrew Lyons
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days, 1 hour, 23 minutes
                2d 1h 23m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.