Closed drgrice1 closed 4 months ago
Note that this is part 1 of 3 in a rather exhaustive revamp of webwork2's authentication system.
Is the switch to mojolicious cookies the code in the session subroutine in the Controller
module? Overall, except for that, it seems to be mostly some code cleanup and documentation improvement.
Most of it is just code clean up. I tried to put all of that into this pull request so that once this is merged, the other pull requests are more transparent as to what they are doing. The main part of the code for switching to Mojolicious cookie is the session
subroutine in the WeBWorK::Controller
module (as you observed), and the calls to that method in the fetchCookie
, sendCookie
, and killCookie
methods of WeBWorK::Authen
.
Tested some, with no problems.
The primary advantage of this switch is that now cookies are signed. That means that unlike webwork2's current cookies, the data stored in the session cookies can be trusted to not have been tampered with. Note that setting the secrets in the
conf/webwork2.mojolicious.yml
file is now important (and not just something that we tell system administrators to do). That secret is the private key that is used to sign cookies.The documentation on session management in defaults.config and localOverrides.conf.dist has been updated. Most of that was obsolete nonsense.
Note that the $debugPracticeUser has been removed. As stated in the comments about it in defaults.config, "Why de we even have this?"