Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-82426

Mobile app is not still fully supporting partitioned cookies

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.1.12, 4.2.9, 4.3.6, 4.4.2
    • Other
    • MOODLE_401_STABLE, MOODLE_402_STABLE, MOODLE_403_STABLE, MOODLE_404_STABLE
    • MDL-82426-master
    • Hide
      Prerequisite
      1. Moodle mobile app installed on an Android and iOS device (if possible).
      2. Your Moodle mobile app should be able to connect to your Moodle website using https. You can either do the following:
        • Ensure that the phone with the mobile app and the web server are on the same network. Or
        • Expose the web server over the internet via ngrok.
      Test login embedded browser
      1. As an admin, enable “Web services for mobile devices” on Site administration ► Advanced features
      2. As admin, ensure that Secure cookies are enabled on Site administration > General > Security > HTTP Security
      3. Go to Site administration > General > Mobile app authentication and select "Via an embedded browser" in "Type of login"
      4. Open the mobile app on your device, type your site URL and confirm that:
        • The authentication process is launched in a browser embedded in the site and that you are able to log in
      Test auto-login embedded content
      1. As admin in the site, create a page resource, containing an iframe pointing to another activity in the same course (for example, the forum), you can use a code like this: <iframe style="width: 400px; height:400px" src="LINK_TO_FORUM"></iframe>
        • Please notice that the link to the forum has to be using the ngrok base URL
      2. Using the mobile app, open the course with the page resource
      3. Confirm that:
        • You are able to see the contents of the iframe automatically (you are not asked to log in)
      Test with Development WebView and special flags
      • On your Android device, install Android System WebView Dev.
      • Change the default WebView via Developer Options -> WebView Implementation.
      • Open the WebView Dev application, go to Flags, and set the webview-force-disable-3pcs to Enabled.
      • Close and "kill" the Moodle mobile app and re-open it (so it will use the new Webview)
      • Repeat the previous tests, (only the steps regarding the mobile app, steps 4 for the first test and 2 for the second)
      Show
      Prerequisite Moodle mobile app installed on an Android and iOS device (if possible). Your Moodle mobile app should be able to connect to your Moodle website using https . You can either do the following: Ensure that the phone with the mobile app and the web server are on the same network. Or Expose the web server over the internet via ngrok. Test login embedded browser As an admin, enable “Web services for mobile devices” on Site administration ► Advanced features As admin, ensure that Secure cookies are enabled on Site administration > General > Security > HTTP Security Go to Site administration > General > Mobile app authentication and select "Via an embedded browser" in "Type of login" Open the mobile app on your device, type your site URL and confirm that: The authentication process is launched in a browser embedded in the site and that you are able to log in Test auto-login embedded content As admin in the site, create a page resource, containing an iframe pointing to another activity in the same course (for example, the forum), you can use a code like this: <iframe style="width: 400px; height:400px" src="LINK_TO_FORUM"></iframe> Please notice that the link to the forum has to be using the ngrok base URL Using the mobile app, open the course with the page resource Confirm that: You are able to see the contents of the iframe automatically (you are not asked to log in) Test with Development WebView and special flags On your Android device, install Android System WebView Dev . Change the default WebView via Developer Options -> WebView Implementation. Open the WebView Dev application, go to Flags, and set the webview-force-disable-3pcs to Enabled. Close and "kill" the Moodle mobile app and re-open it (so it will use the new Webview) Repeat the previous tests, (only the steps regarding the mobile app, steps 4 for the first test and 2 for the second)

      In MDL-81405 we introduced support for partitioned cookies for the mobile app, it caused a major regression solved in MDL-81897, however, after using the app for some more time we have detected additional scenarios where the app is not able to properly handle partitioned cookies.

      These are the scenarios detected:

      • Iframe pointing to another activity within the site
      • Iframe without auto-login
      • Embedded browser without auto-login (custom menu items)
      • Embedded browser with auto-login and then the user does logout

      In all of those scenarios, what happens is that sometimes the Moodle site is not always returning partitioned cookies so at the end we have a mix of partitioned and non-partitioned cookies that are breaking the log-in process for the user.

      We need to find a solid solution for the app that will consist of Moodle always returning partitioned cookies for requests containing the user-agent of the app.
      This will probably require us to add some code just after any invocation of session_regenerate_id() that is when a new cookie is set.

            jleyva Juan Leyva
            jleyva Juan Leyva
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours, 16 minutes
                4h 16m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.