Open Alex-Jordan opened 3 years ago
drgrice1
commented
3 years ago Another option if embedding is desired is to set webwork to manage the session via session keys. That should work still. In localOverrides.conf (or in the course.conf file for the course) add $session_management_via = "key";
Alex-Jordan
commented
3 years ago Oh, I didn't realize that keys were still an option. Thanks. Soon I will attempt an update of the LTI pages on the wiki. There are several things there worth updating, I think.
Alex-Jordan
commented
3 years ago Not closing this yet, because I think there is still an action item regarding documentation (that I volunteered to do, but haven't done yet). Another forum post appears today relating to this, which brought me here.
taniwallach
commented
3 years ago I suspect this may related to the $CookieSameSite setting, but have not checked. It could be that the manner in which the LMS panel behaves treats WeBWorK as a third-party site to some extent.
There are some posts about Canvas and SameSite cookies which indicate that this may really be the problem:
If so, it could be that setting $CookieSameSite = "None"; and $CookieSecure = 1; might work. However, using None is not really recommended.
If I recall correctly, using $session_management_via = "key"; puts the session key into the URL, which seems less secure than an approach using cookies (preferable cookies and with $CookieSecure = 1; enabled).
I think it is probably better to recommend that WeBWorK be opened in a new window/tab, as @Alex-Jordan already suggested.
I'm not sure if this is on anyone's radar, so posting an issue. WW 2.16 moved to session management using cookies, if I understand correctly. I have found that with institutions using Canvas (and maybe others), that if WeBWorK is set to open within a panel in the LMS, the session cookies aren't managed correctly (or at all?) The user will enter WeBWorK fine, but then if they try to do anything that would load the page, they are taken to the login screen.
Setting the external tool to open in a new tab gets past this. And that's what I would recommend to do anyway, because embedding all the WeBWorK navigation inside the LMS navigation looks messy and confusing.
I suspect the LMS is just interfering with what the application is allowed to do, as a well-intended security measure. And it's not letting the browser write a cookie. But I haven't looked deeper than the symptom and the workaround.
And then of course if it really is the LMS interfering, I'm not sure what WeBWorK can do about that. If there's nothing better to do, I will update the LTI pages on the wiki to strongly recommend opening WW in a new tab when setting up external tool links.